2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
15 #include "../ssl_local.h"
16 #include "statem_local.h"
17 #include <openssl/buffer.h>
18 #include <openssl/rand.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/md5.h>
22 #include <openssl/dh.h>
23 #include <openssl/rsa.h>
24 #include <openssl/bn.h>
25 #include <openssl/engine.h>
26 #include <openssl/trace.h>
27 #include <openssl/core_names.h>
28 #include <openssl/param_build.h>
29 #include "internal/cryptlib.h"
31 static MSG_PROCESS_RETURN
tls_process_as_hello_retry_request(SSL_CONNECTION
*s
,
33 static MSG_PROCESS_RETURN
tls_process_encrypted_extensions(SSL_CONNECTION
*s
,
36 static ossl_inline
int cert_req_allowed(SSL_CONNECTION
*s
);
37 static int key_exchange_expected(SSL_CONNECTION
*s
);
38 static int ssl_cipher_list_to_bytes(SSL_CONNECTION
*s
, STACK_OF(SSL_CIPHER
) *sk
,
41 static ossl_inline
int received_server_cert(SSL_CONNECTION
*sc
)
43 return sc
->session
->peer_rpk
!= NULL
|| sc
->session
->peer
!= NULL
;
47 * Is a CertificateRequest message allowed at the moment or not?
53 static ossl_inline
int cert_req_allowed(SSL_CONNECTION
*s
)
55 /* TLS does not like anon-DH with client cert */
56 if ((s
->version
> SSL3_VERSION
57 && (s
->s3
.tmp
.new_cipher
->algorithm_auth
& SSL_aNULL
))
58 || (s
->s3
.tmp
.new_cipher
->algorithm_auth
& (SSL_aSRP
| SSL_aPSK
)))
65 * Should we expect the ServerKeyExchange message or not?
71 static int key_exchange_expected(SSL_CONNECTION
*s
)
73 long alg_k
= s
->s3
.tmp
.new_cipher
->algorithm_mkey
;
76 * Can't skip server key exchange if this is an ephemeral
77 * ciphersuite or for SRP
79 if (alg_k
& (SSL_kDHE
| SSL_kECDHE
| SSL_kDHEPSK
| SSL_kECDHEPSK
88 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
89 * handshake state transitions when a TLS1.3 client is reading messages from the
90 * server. The message type that the server has sent is provided in |mt|. The
91 * current state is in |s->statem.hand_state|.
93 * Return values are 1 for success (transition allowed) and 0 on error
94 * (transition not allowed)
96 static int ossl_statem_client13_read_transition(SSL_CONNECTION
*s
, int mt
)
98 OSSL_STATEM
*st
= &s
->statem
;
101 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
102 * yet negotiated TLSv1.3 at that point so that is handled by
103 * ossl_statem_client_read_transition()
106 switch (st
->hand_state
) {
110 case TLS_ST_CW_CLNT_HELLO
:
112 * This must a ClientHello following a HelloRetryRequest, so the only
113 * thing we can get now is a ServerHello.
115 if (mt
== SSL3_MT_SERVER_HELLO
) {
116 st
->hand_state
= TLS_ST_CR_SRVR_HELLO
;
121 case TLS_ST_CR_SRVR_HELLO
:
122 if (mt
== SSL3_MT_ENCRYPTED_EXTENSIONS
) {
123 st
->hand_state
= TLS_ST_CR_ENCRYPTED_EXTENSIONS
;
128 case TLS_ST_CR_ENCRYPTED_EXTENSIONS
:
130 if (mt
== SSL3_MT_FINISHED
) {
131 st
->hand_state
= TLS_ST_CR_FINISHED
;
135 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
) {
136 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
139 if (mt
== SSL3_MT_CERTIFICATE
) {
140 st
->hand_state
= TLS_ST_CR_CERT
;
143 #ifndef OPENSSL_NO_COMP_ALG
144 if (mt
== SSL3_MT_COMPRESSED_CERTIFICATE
145 && s
->ext
.compress_certificate_sent
) {
146 st
->hand_state
= TLS_ST_CR_COMP_CERT
;
153 case TLS_ST_CR_CERT_REQ
:
154 if (mt
== SSL3_MT_CERTIFICATE
) {
155 st
->hand_state
= TLS_ST_CR_CERT
;
158 #ifndef OPENSSL_NO_COMP_ALG
159 if (mt
== SSL3_MT_COMPRESSED_CERTIFICATE
160 && s
->ext
.compress_certificate_sent
) {
161 st
->hand_state
= TLS_ST_CR_COMP_CERT
;
168 case TLS_ST_CR_COMP_CERT
:
169 if (mt
== SSL3_MT_CERTIFICATE_VERIFY
) {
170 st
->hand_state
= TLS_ST_CR_CERT_VRFY
;
175 case TLS_ST_CR_CERT_VRFY
:
176 if (mt
== SSL3_MT_FINISHED
) {
177 st
->hand_state
= TLS_ST_CR_FINISHED
;
183 if (mt
== SSL3_MT_NEWSESSION_TICKET
) {
184 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
187 if (mt
== SSL3_MT_KEY_UPDATE
) {
188 st
->hand_state
= TLS_ST_CR_KEY_UPDATE
;
191 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
) {
192 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
193 /* Restore digest for PHA before adding message.*/
194 # error Internal DTLS version error
196 if (!SSL_CONNECTION_IS_DTLS(s
)
197 && s
->post_handshake_auth
== SSL_PHA_EXT_SENT
) {
198 s
->post_handshake_auth
= SSL_PHA_REQUESTED
;
200 * In TLS, this is called before the message is added to the
201 * digest. In DTLS, this is expected to be called after adding
202 * to the digest. Either move the digest restore, or add the
203 * message here after the swap, or do it after the clientFinished?
205 if (!tls13_restore_handshake_digest_for_pha(s
)) {
206 /* SSLfatal() already called */
209 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
216 /* No valid transition found */
221 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
222 * handshake state transitions when the client is reading messages from the
223 * server. The message type that the server has sent is provided in |mt|. The
224 * current state is in |s->statem.hand_state|.
226 * Return values are 1 for success (transition allowed) and 0 on error
227 * (transition not allowed)
229 int ossl_statem_client_read_transition(SSL_CONNECTION
*s
, int mt
)
231 OSSL_STATEM
*st
= &s
->statem
;
235 * Note that after writing the first ClientHello we don't know what version
236 * we are going to negotiate yet, so we don't take this branch until later.
238 if (SSL_CONNECTION_IS_TLS13(s
)) {
239 if (!ossl_statem_client13_read_transition(s
, mt
))
244 switch (st
->hand_state
) {
248 case TLS_ST_CW_CLNT_HELLO
:
249 if (mt
== SSL3_MT_SERVER_HELLO
) {
250 st
->hand_state
= TLS_ST_CR_SRVR_HELLO
;
254 if (SSL_CONNECTION_IS_DTLS(s
)) {
255 if (mt
== DTLS1_MT_HELLO_VERIFY_REQUEST
) {
256 st
->hand_state
= DTLS_ST_CR_HELLO_VERIFY_REQUEST
;
262 case TLS_ST_EARLY_DATA
:
264 * We've not actually selected TLSv1.3 yet, but we have sent early
265 * data. The only thing allowed now is a ServerHello or a
268 if (mt
== SSL3_MT_SERVER_HELLO
) {
269 st
->hand_state
= TLS_ST_CR_SRVR_HELLO
;
274 case TLS_ST_CR_SRVR_HELLO
:
276 if (s
->ext
.ticket_expected
) {
277 if (mt
== SSL3_MT_NEWSESSION_TICKET
) {
278 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
281 } else if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
282 st
->hand_state
= TLS_ST_CR_CHANGE
;
286 if (SSL_CONNECTION_IS_DTLS(s
)
287 && mt
== DTLS1_MT_HELLO_VERIFY_REQUEST
) {
288 st
->hand_state
= DTLS_ST_CR_HELLO_VERIFY_REQUEST
;
290 } else if (s
->version
>= TLS1_VERSION
291 && s
->ext
.session_secret_cb
!= NULL
292 && s
->session
->ext
.tick
!= NULL
293 && mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
295 * Normally, we can tell if the server is resuming the session
296 * from the session ID. EAP-FAST (RFC 4851), however, relies on
297 * the next server message after the ServerHello to determine if
298 * the server is resuming.
301 st
->hand_state
= TLS_ST_CR_CHANGE
;
303 } else if (!(s
->s3
.tmp
.new_cipher
->algorithm_auth
304 & (SSL_aNULL
| SSL_aSRP
| SSL_aPSK
))) {
305 if (mt
== SSL3_MT_CERTIFICATE
) {
306 st
->hand_state
= TLS_ST_CR_CERT
;
310 ske_expected
= key_exchange_expected(s
);
311 /* SKE is optional for some PSK ciphersuites */
313 || ((s
->s3
.tmp
.new_cipher
->algorithm_mkey
& SSL_PSK
)
314 && mt
== SSL3_MT_SERVER_KEY_EXCHANGE
)) {
315 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
316 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
319 } else if (mt
== SSL3_MT_CERTIFICATE_REQUEST
320 && cert_req_allowed(s
)) {
321 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
323 } else if (mt
== SSL3_MT_SERVER_DONE
) {
324 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
332 case TLS_ST_CR_COMP_CERT
:
334 * The CertificateStatus message is optional even if
335 * |ext.status_expected| is set
337 if (s
->ext
.status_expected
&& mt
== SSL3_MT_CERTIFICATE_STATUS
) {
338 st
->hand_state
= TLS_ST_CR_CERT_STATUS
;
343 case TLS_ST_CR_CERT_STATUS
:
344 ske_expected
= key_exchange_expected(s
);
345 /* SKE is optional for some PSK ciphersuites */
346 if (ske_expected
|| ((s
->s3
.tmp
.new_cipher
->algorithm_mkey
& SSL_PSK
)
347 && mt
== SSL3_MT_SERVER_KEY_EXCHANGE
)) {
348 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
349 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
356 case TLS_ST_CR_KEY_EXCH
:
357 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
) {
358 if (cert_req_allowed(s
)) {
359 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
366 case TLS_ST_CR_CERT_REQ
:
367 if (mt
== SSL3_MT_SERVER_DONE
) {
368 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
373 case TLS_ST_CW_FINISHED
:
374 if (s
->ext
.ticket_expected
) {
375 if (mt
== SSL3_MT_NEWSESSION_TICKET
) {
376 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
379 } else if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
380 st
->hand_state
= TLS_ST_CR_CHANGE
;
385 case TLS_ST_CR_SESSION_TICKET
:
386 if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
387 st
->hand_state
= TLS_ST_CR_CHANGE
;
392 case TLS_ST_CR_CHANGE
:
393 if (mt
== SSL3_MT_FINISHED
) {
394 st
->hand_state
= TLS_ST_CR_FINISHED
;
400 if (mt
== SSL3_MT_HELLO_REQUEST
) {
401 st
->hand_state
= TLS_ST_CR_HELLO_REQ
;
408 /* No valid transition found */
409 if (SSL_CONNECTION_IS_DTLS(s
) && mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
413 * CCS messages don't have a message sequence number so this is probably
414 * because of an out-of-order CCS. We'll just drop it.
417 s
->rwstate
= SSL_READING
;
418 rbio
= SSL_get_rbio(SSL_CONNECTION_GET_SSL(s
));
419 BIO_clear_retry_flags(rbio
);
420 BIO_set_retry_read(rbio
);
423 SSLfatal(s
, SSL3_AD_UNEXPECTED_MESSAGE
, SSL_R_UNEXPECTED_MESSAGE
);
427 static int do_compressed_cert(SSL_CONNECTION
*sc
)
429 /* If we negotiated RPK, we won't try to compress it */
430 return sc
->ext
.client_cert_type
== TLSEXT_cert_type_x509
431 && sc
->ext
.compress_certificate_from_peer
[0] != TLSEXT_comp_cert_none
;
435 * ossl_statem_client13_write_transition() works out what handshake state to
436 * move to next when the TLSv1.3 client is writing messages to be sent to the
439 static WRITE_TRAN
ossl_statem_client13_write_transition(SSL_CONNECTION
*s
)
441 OSSL_STATEM
*st
= &s
->statem
;
444 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
445 * TLSv1.3 yet at that point. They are handled by
446 * ossl_statem_client_write_transition().
448 switch (st
->hand_state
) {
450 /* Shouldn't happen */
451 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
452 return WRITE_TRAN_ERROR
;
454 case TLS_ST_CR_CERT_REQ
:
455 if (s
->post_handshake_auth
== SSL_PHA_REQUESTED
) {
456 if (do_compressed_cert(s
))
457 st
->hand_state
= TLS_ST_CW_COMP_CERT
;
459 st
->hand_state
= TLS_ST_CW_CERT
;
460 return WRITE_TRAN_CONTINUE
;
463 * We should only get here if we received a CertificateRequest after
464 * we already sent close_notify
466 if (!ossl_assert((s
->shutdown
& SSL_SENT_SHUTDOWN
) != 0)) {
467 /* Shouldn't happen - same as default case */
468 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
469 return WRITE_TRAN_ERROR
;
471 st
->hand_state
= TLS_ST_OK
;
472 return WRITE_TRAN_CONTINUE
;
474 case TLS_ST_CR_FINISHED
:
475 if (s
->early_data_state
== SSL_EARLY_DATA_WRITE_RETRY
476 || s
->early_data_state
== SSL_EARLY_DATA_FINISHED_WRITING
)
477 st
->hand_state
= TLS_ST_PENDING_EARLY_DATA_END
;
478 else if ((s
->options
& SSL_OP_ENABLE_MIDDLEBOX_COMPAT
) != 0
479 && s
->hello_retry_request
== SSL_HRR_NONE
)
480 st
->hand_state
= TLS_ST_CW_CHANGE
;
481 else if (s
->s3
.tmp
.cert_req
== 0)
482 st
->hand_state
= TLS_ST_CW_FINISHED
;
483 else if (do_compressed_cert(s
))
484 st
->hand_state
= TLS_ST_CW_COMP_CERT
;
486 st
->hand_state
= TLS_ST_CW_CERT
;
487 return WRITE_TRAN_CONTINUE
;
489 case TLS_ST_PENDING_EARLY_DATA_END
:
490 if (s
->ext
.early_data
== SSL_EARLY_DATA_ACCEPTED
) {
491 st
->hand_state
= TLS_ST_CW_END_OF_EARLY_DATA
;
492 return WRITE_TRAN_CONTINUE
;
496 case TLS_ST_CW_END_OF_EARLY_DATA
:
497 case TLS_ST_CW_CHANGE
:
498 if (s
->s3
.tmp
.cert_req
== 0)
499 st
->hand_state
= TLS_ST_CW_FINISHED
;
500 else if (do_compressed_cert(s
))
501 st
->hand_state
= TLS_ST_CW_COMP_CERT
;
503 st
->hand_state
= TLS_ST_CW_CERT
;
504 return WRITE_TRAN_CONTINUE
;
506 case TLS_ST_CW_COMP_CERT
:
508 /* If a non-empty Certificate we also send CertificateVerify */
509 st
->hand_state
= (s
->s3
.tmp
.cert_req
== 1) ? TLS_ST_CW_CERT_VRFY
510 : TLS_ST_CW_FINISHED
;
511 return WRITE_TRAN_CONTINUE
;
513 case TLS_ST_CW_CERT_VRFY
:
514 st
->hand_state
= TLS_ST_CW_FINISHED
;
515 return WRITE_TRAN_CONTINUE
;
517 case TLS_ST_CR_KEY_UPDATE
:
518 case TLS_ST_CW_KEY_UPDATE
:
519 case TLS_ST_CR_SESSION_TICKET
:
520 case TLS_ST_CW_FINISHED
:
521 st
->hand_state
= TLS_ST_OK
;
522 return WRITE_TRAN_CONTINUE
;
525 if (s
->key_update
!= SSL_KEY_UPDATE_NONE
) {
526 st
->hand_state
= TLS_ST_CW_KEY_UPDATE
;
527 return WRITE_TRAN_CONTINUE
;
530 /* Try to read from the server instead */
531 return WRITE_TRAN_FINISHED
;
536 * ossl_statem_client_write_transition() works out what handshake state to
537 * move to next when the client is writing messages to be sent to the server.
539 WRITE_TRAN
ossl_statem_client_write_transition(SSL_CONNECTION
*s
)
541 OSSL_STATEM
*st
= &s
->statem
;
544 * Note that immediately before/after a ClientHello we don't know what
545 * version we are going to negotiate yet, so we don't take this branch until
548 if (SSL_CONNECTION_IS_TLS13(s
))
549 return ossl_statem_client13_write_transition(s
);
551 switch (st
->hand_state
) {
553 /* Shouldn't happen */
554 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
555 return WRITE_TRAN_ERROR
;
558 if (!s
->renegotiate
) {
560 * We haven't requested a renegotiation ourselves so we must have
561 * received a message from the server. Better read it.
563 return WRITE_TRAN_FINISHED
;
568 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
569 return WRITE_TRAN_CONTINUE
;
571 case TLS_ST_CW_CLNT_HELLO
:
572 if (s
->early_data_state
== SSL_EARLY_DATA_CONNECTING
) {
574 * We are assuming this is a TLSv1.3 connection, although we haven't
575 * actually selected a version yet.
577 if ((s
->options
& SSL_OP_ENABLE_MIDDLEBOX_COMPAT
) != 0)
578 st
->hand_state
= TLS_ST_CW_CHANGE
;
580 st
->hand_state
= TLS_ST_EARLY_DATA
;
581 return WRITE_TRAN_CONTINUE
;
584 * No transition at the end of writing because we don't know what
587 return WRITE_TRAN_FINISHED
;
589 case TLS_ST_CR_SRVR_HELLO
:
591 * We only get here in TLSv1.3. We just received an HRR, so issue a
592 * CCS unless middlebox compat mode is off, or we already issued one
593 * because we did early data.
595 if ((s
->options
& SSL_OP_ENABLE_MIDDLEBOX_COMPAT
) != 0
596 && s
->early_data_state
!= SSL_EARLY_DATA_FINISHED_WRITING
)
597 st
->hand_state
= TLS_ST_CW_CHANGE
;
599 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
600 return WRITE_TRAN_CONTINUE
;
602 case TLS_ST_EARLY_DATA
:
603 return WRITE_TRAN_FINISHED
;
605 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
606 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
607 return WRITE_TRAN_CONTINUE
;
609 case TLS_ST_CR_SRVR_DONE
:
610 if (s
->s3
.tmp
.cert_req
)
611 st
->hand_state
= TLS_ST_CW_CERT
;
613 st
->hand_state
= TLS_ST_CW_KEY_EXCH
;
614 return WRITE_TRAN_CONTINUE
;
617 st
->hand_state
= TLS_ST_CW_KEY_EXCH
;
618 return WRITE_TRAN_CONTINUE
;
620 case TLS_ST_CW_KEY_EXCH
:
622 * For TLS, cert_req is set to 2, so a cert chain of nothing is
623 * sent, but no verify packet is sent
626 * XXX: For now, we do not support client authentication in ECDH
627 * cipher suites with ECDH (rather than ECDSA) certificates. We
628 * need to skip the certificate verify message when client's
629 * ECDH public key is sent inside the client certificate.
631 if (s
->s3
.tmp
.cert_req
== 1) {
632 st
->hand_state
= TLS_ST_CW_CERT_VRFY
;
634 st
->hand_state
= TLS_ST_CW_CHANGE
;
636 if (s
->s3
.flags
& TLS1_FLAGS_SKIP_CERT_VERIFY
) {
637 st
->hand_state
= TLS_ST_CW_CHANGE
;
639 return WRITE_TRAN_CONTINUE
;
641 case TLS_ST_CW_CERT_VRFY
:
642 st
->hand_state
= TLS_ST_CW_CHANGE
;
643 return WRITE_TRAN_CONTINUE
;
645 case TLS_ST_CW_CHANGE
:
646 if (s
->hello_retry_request
== SSL_HRR_PENDING
) {
647 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
648 } else if (s
->early_data_state
== SSL_EARLY_DATA_CONNECTING
) {
649 st
->hand_state
= TLS_ST_EARLY_DATA
;
651 #if defined(OPENSSL_NO_NEXTPROTONEG)
652 st
->hand_state
= TLS_ST_CW_FINISHED
;
654 if (!SSL_CONNECTION_IS_DTLS(s
) && s
->s3
.npn_seen
)
655 st
->hand_state
= TLS_ST_CW_NEXT_PROTO
;
657 st
->hand_state
= TLS_ST_CW_FINISHED
;
660 return WRITE_TRAN_CONTINUE
;
662 #if !defined(OPENSSL_NO_NEXTPROTONEG)
663 case TLS_ST_CW_NEXT_PROTO
:
664 st
->hand_state
= TLS_ST_CW_FINISHED
;
665 return WRITE_TRAN_CONTINUE
;
668 case TLS_ST_CW_FINISHED
:
670 st
->hand_state
= TLS_ST_OK
;
671 return WRITE_TRAN_CONTINUE
;
673 return WRITE_TRAN_FINISHED
;
676 case TLS_ST_CR_FINISHED
:
678 st
->hand_state
= TLS_ST_CW_CHANGE
;
679 return WRITE_TRAN_CONTINUE
;
681 st
->hand_state
= TLS_ST_OK
;
682 return WRITE_TRAN_CONTINUE
;
685 case TLS_ST_CR_HELLO_REQ
:
687 * If we can renegotiate now then do so, otherwise wait for a more
690 if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s
), 1)) {
691 if (!tls_setup_handshake(s
)) {
692 /* SSLfatal() already called */
693 return WRITE_TRAN_ERROR
;
695 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
696 return WRITE_TRAN_CONTINUE
;
698 st
->hand_state
= TLS_ST_OK
;
699 return WRITE_TRAN_CONTINUE
;
704 * Perform any pre work that needs to be done prior to sending a message from
705 * the client to the server.
707 WORK_STATE
ossl_statem_client_pre_work(SSL_CONNECTION
*s
, WORK_STATE wst
)
709 OSSL_STATEM
*st
= &s
->statem
;
711 switch (st
->hand_state
) {
713 /* No pre work to be done */
716 case TLS_ST_CW_CLNT_HELLO
:
718 if (SSL_CONNECTION_IS_DTLS(s
)) {
719 /* every DTLS ClientHello resets Finished MAC */
720 if (!ssl3_init_finished_mac(s
)) {
721 /* SSLfatal() already called */
724 } else if (s
->ext
.early_data
== SSL_EARLY_DATA_REJECTED
) {
726 * This must be a second ClientHello after an HRR following an
727 * earlier rejected attempt to send early data. Since we were
728 * previously encrypting the early data we now need to reset the
729 * write record layer in order to write in plaintext again.
731 if (!ssl_set_new_record_layer(s
,
733 OSSL_RECORD_DIRECTION_WRITE
,
734 OSSL_RECORD_PROTECTION_LEVEL_NONE
,
735 NULL
, 0, NULL
, 0, NULL
, 0, NULL
, 0,
736 NULL
, 0, NID_undef
, NULL
, NULL
,
738 /* SSLfatal already called */
744 case TLS_ST_CW_CHANGE
:
745 if (SSL_CONNECTION_IS_DTLS(s
)) {
748 * We're into the last flight so we don't retransmit these
749 * messages unless we need to.
753 #ifndef OPENSSL_NO_SCTP
754 if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s
)))) {
755 /* Calls SSLfatal() as required */
756 return dtls_wait_for_dry(s
);
762 case TLS_ST_PENDING_EARLY_DATA_END
:
764 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
765 * attempt to write early data before calling SSL_read() then we press
766 * on with the handshake. Otherwise we pause here.
768 if (s
->early_data_state
== SSL_EARLY_DATA_FINISHED_WRITING
769 || s
->early_data_state
== SSL_EARLY_DATA_NONE
)
770 return WORK_FINISHED_CONTINUE
;
773 case TLS_ST_EARLY_DATA
:
774 return tls_finish_handshake(s
, wst
, 0, 1);
777 /* Calls SSLfatal() as required */
778 return tls_finish_handshake(s
, wst
, 1, 1);
781 return WORK_FINISHED_CONTINUE
;
785 * Perform any work that needs to be done after sending a message from the
786 * client to the server.
788 WORK_STATE
ossl_statem_client_post_work(SSL_CONNECTION
*s
, WORK_STATE wst
)
790 OSSL_STATEM
*st
= &s
->statem
;
791 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
795 switch (st
->hand_state
) {
797 /* No post work to be done */
800 case TLS_ST_CW_CLNT_HELLO
:
801 if (s
->early_data_state
== SSL_EARLY_DATA_CONNECTING
802 && s
->max_early_data
> 0) {
804 * We haven't selected TLSv1.3 yet so we don't call the change
805 * cipher state function associated with the SSL_METHOD. Instead
806 * we call tls13_change_cipher_state() directly.
808 if ((s
->options
& SSL_OP_ENABLE_MIDDLEBOX_COMPAT
) == 0) {
809 if (!tls13_change_cipher_state(s
,
810 SSL3_CC_EARLY
| SSL3_CHANGE_CIPHER_CLIENT_WRITE
)) {
811 /* SSLfatal() already called */
815 /* else we're in compat mode so we delay flushing until after CCS */
816 } else if (!statem_flush(s
)) {
820 if (SSL_CONNECTION_IS_DTLS(s
)) {
821 /* Treat the next message as the first packet */
826 case TLS_ST_CW_KEY_EXCH
:
827 if (tls_client_key_exchange_post_work(s
) == 0) {
828 /* SSLfatal() already called */
833 case TLS_ST_CW_CHANGE
:
834 if (SSL_CONNECTION_IS_TLS13(s
)
835 || s
->hello_retry_request
== SSL_HRR_PENDING
)
837 if (s
->early_data_state
== SSL_EARLY_DATA_CONNECTING
838 && s
->max_early_data
> 0) {
840 * We haven't selected TLSv1.3 yet so we don't call the change
841 * cipher state function associated with the SSL_METHOD. Instead
842 * we call tls13_change_cipher_state() directly.
844 if (!tls13_change_cipher_state(s
,
845 SSL3_CC_EARLY
| SSL3_CHANGE_CIPHER_CLIENT_WRITE
))
849 s
->session
->cipher
= s
->s3
.tmp
.new_cipher
;
850 #ifdef OPENSSL_NO_COMP
851 s
->session
->compress_meth
= 0;
853 if (s
->s3
.tmp
.new_compression
== NULL
)
854 s
->session
->compress_meth
= 0;
856 s
->session
->compress_meth
= s
->s3
.tmp
.new_compression
->id
;
858 if (!ssl
->method
->ssl3_enc
->setup_key_block(s
)) {
859 /* SSLfatal() already called */
863 if (!ssl
->method
->ssl3_enc
->change_cipher_state(s
,
864 SSL3_CHANGE_CIPHER_CLIENT_WRITE
)) {
865 /* SSLfatal() already called */
869 if (SSL_CONNECTION_IS_DTLS(s
)) {
870 #ifndef OPENSSL_NO_SCTP
873 * Change to new shared key of SCTP-Auth, will be ignored if
876 BIO_ctrl(SSL_get_wbio(ssl
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
881 dtls1_increment_epoch(s
, SSL3_CC_WRITE
);
885 case TLS_ST_CW_FINISHED
:
886 #ifndef OPENSSL_NO_SCTP
887 if (wst
== WORK_MORE_A
&& SSL_CONNECTION_IS_DTLS(s
) && s
->hit
== 0) {
889 * Change to new shared key of SCTP-Auth, will be ignored if
892 BIO_ctrl(SSL_get_wbio(ssl
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
896 if (statem_flush(s
) != 1)
899 if (SSL_CONNECTION_IS_TLS13(s
)) {
900 if (!tls13_save_handshake_digest_for_pha(s
)) {
901 /* SSLfatal() already called */
904 if (s
->post_handshake_auth
!= SSL_PHA_REQUESTED
) {
905 if (!ssl
->method
->ssl3_enc
->change_cipher_state(s
,
906 SSL3_CC_APPLICATION
| SSL3_CHANGE_CIPHER_CLIENT_WRITE
)) {
907 /* SSLfatal() already called */
914 case TLS_ST_CW_KEY_UPDATE
:
915 if (statem_flush(s
) != 1)
917 if (!tls13_update_key(s
, 1)) {
918 /* SSLfatal() already called */
924 return WORK_FINISHED_CONTINUE
;
928 * Get the message construction function and message type for sending from the
931 * Valid return values are:
935 int ossl_statem_client_construct_message(SSL_CONNECTION
*s
,
936 confunc_f
*confunc
, int *mt
)
938 OSSL_STATEM
*st
= &s
->statem
;
940 switch (st
->hand_state
) {
942 /* Shouldn't happen */
943 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_BAD_HANDSHAKE_STATE
);
946 case TLS_ST_CW_CHANGE
:
947 if (SSL_CONNECTION_IS_DTLS(s
))
948 *confunc
= dtls_construct_change_cipher_spec
;
950 *confunc
= tls_construct_change_cipher_spec
;
951 *mt
= SSL3_MT_CHANGE_CIPHER_SPEC
;
954 case TLS_ST_CW_CLNT_HELLO
:
955 *confunc
= tls_construct_client_hello
;
956 *mt
= SSL3_MT_CLIENT_HELLO
;
959 case TLS_ST_CW_END_OF_EARLY_DATA
:
960 *confunc
= tls_construct_end_of_early_data
;
961 *mt
= SSL3_MT_END_OF_EARLY_DATA
;
964 case TLS_ST_PENDING_EARLY_DATA_END
:
970 *confunc
= tls_construct_client_certificate
;
971 *mt
= SSL3_MT_CERTIFICATE
;
974 #ifndef OPENSSL_NO_COMP_ALG
975 case TLS_ST_CW_COMP_CERT
:
976 *confunc
= tls_construct_client_compressed_certificate
;
977 *mt
= SSL3_MT_COMPRESSED_CERTIFICATE
;
981 case TLS_ST_CW_KEY_EXCH
:
982 *confunc
= tls_construct_client_key_exchange
;
983 *mt
= SSL3_MT_CLIENT_KEY_EXCHANGE
;
986 case TLS_ST_CW_CERT_VRFY
:
987 *confunc
= tls_construct_cert_verify
;
988 *mt
= SSL3_MT_CERTIFICATE_VERIFY
;
991 #if !defined(OPENSSL_NO_NEXTPROTONEG)
992 case TLS_ST_CW_NEXT_PROTO
:
993 *confunc
= tls_construct_next_proto
;
994 *mt
= SSL3_MT_NEXT_PROTO
;
997 case TLS_ST_CW_FINISHED
:
998 *confunc
= tls_construct_finished
;
999 *mt
= SSL3_MT_FINISHED
;
1002 case TLS_ST_CW_KEY_UPDATE
:
1003 *confunc
= tls_construct_key_update
;
1004 *mt
= SSL3_MT_KEY_UPDATE
;
1012 * Returns the maximum allowed length for the current message that we are
1013 * reading. Excludes the message header.
1015 size_t ossl_statem_client_max_message_size(SSL_CONNECTION
*s
)
1017 OSSL_STATEM
*st
= &s
->statem
;
1019 switch (st
->hand_state
) {
1021 /* Shouldn't happen */
1024 case TLS_ST_CR_SRVR_HELLO
:
1025 return SERVER_HELLO_MAX_LENGTH
;
1027 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
1028 return HELLO_VERIFY_REQUEST_MAX_LENGTH
;
1030 case TLS_ST_CR_COMP_CERT
:
1031 case TLS_ST_CR_CERT
:
1032 return s
->max_cert_list
;
1034 case TLS_ST_CR_CERT_VRFY
:
1035 return CERTIFICATE_VERIFY_MAX_LENGTH
;
1037 case TLS_ST_CR_CERT_STATUS
:
1038 return SSL3_RT_MAX_PLAIN_LENGTH
;
1040 case TLS_ST_CR_KEY_EXCH
:
1041 return SERVER_KEY_EXCH_MAX_LENGTH
;
1043 case TLS_ST_CR_CERT_REQ
:
1045 * Set to s->max_cert_list for compatibility with previous releases. In
1046 * practice these messages can get quite long if servers are configured
1047 * to provide a long list of acceptable CAs
1049 return s
->max_cert_list
;
1051 case TLS_ST_CR_SRVR_DONE
:
1052 return SERVER_HELLO_DONE_MAX_LENGTH
;
1054 case TLS_ST_CR_CHANGE
:
1055 if (s
->version
== DTLS1_BAD_VER
)
1057 return CCS_MAX_LENGTH
;
1059 case TLS_ST_CR_SESSION_TICKET
:
1060 return (SSL_CONNECTION_IS_TLS13(s
)) ? SESSION_TICKET_MAX_LENGTH_TLS13
1061 : SESSION_TICKET_MAX_LENGTH_TLS12
;
1063 case TLS_ST_CR_FINISHED
:
1064 return FINISHED_MAX_LENGTH
;
1066 case TLS_ST_CR_ENCRYPTED_EXTENSIONS
:
1067 return ENCRYPTED_EXTENSIONS_MAX_LENGTH
;
1069 case TLS_ST_CR_KEY_UPDATE
:
1070 return KEY_UPDATE_MAX_LENGTH
;
1075 * Process a message that the client has received from the server.
1077 MSG_PROCESS_RETURN
ossl_statem_client_process_message(SSL_CONNECTION
*s
,
1080 OSSL_STATEM
*st
= &s
->statem
;
1082 switch (st
->hand_state
) {
1084 /* Shouldn't happen */
1085 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1086 return MSG_PROCESS_ERROR
;
1088 case TLS_ST_CR_SRVR_HELLO
:
1089 return tls_process_server_hello(s
, pkt
);
1091 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
1092 return dtls_process_hello_verify(s
, pkt
);
1094 case TLS_ST_CR_CERT
:
1095 return tls_process_server_certificate(s
, pkt
);
1097 #ifndef OPENSSL_NO_COMP_ALG
1098 case TLS_ST_CR_COMP_CERT
:
1099 return tls_process_server_compressed_certificate(s
, pkt
);
1102 case TLS_ST_CR_CERT_VRFY
:
1103 return tls_process_cert_verify(s
, pkt
);
1105 case TLS_ST_CR_CERT_STATUS
:
1106 return tls_process_cert_status(s
, pkt
);
1108 case TLS_ST_CR_KEY_EXCH
:
1109 return tls_process_key_exchange(s
, pkt
);
1111 case TLS_ST_CR_CERT_REQ
:
1112 return tls_process_certificate_request(s
, pkt
);
1114 case TLS_ST_CR_SRVR_DONE
:
1115 return tls_process_server_done(s
, pkt
);
1117 case TLS_ST_CR_CHANGE
:
1118 return tls_process_change_cipher_spec(s
, pkt
);
1120 case TLS_ST_CR_SESSION_TICKET
:
1121 return tls_process_new_session_ticket(s
, pkt
);
1123 case TLS_ST_CR_FINISHED
:
1124 return tls_process_finished(s
, pkt
);
1126 case TLS_ST_CR_HELLO_REQ
:
1127 return tls_process_hello_req(s
, pkt
);
1129 case TLS_ST_CR_ENCRYPTED_EXTENSIONS
:
1130 return tls_process_encrypted_extensions(s
, pkt
);
1132 case TLS_ST_CR_KEY_UPDATE
:
1133 return tls_process_key_update(s
, pkt
);
1138 * Perform any further processing required following the receipt of a message
1141 WORK_STATE
ossl_statem_client_post_process_message(SSL_CONNECTION
*s
,
1144 OSSL_STATEM
*st
= &s
->statem
;
1146 switch (st
->hand_state
) {
1148 /* Shouldn't happen */
1149 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1152 case TLS_ST_CR_CERT
:
1153 case TLS_ST_CR_COMP_CERT
:
1154 return tls_post_process_server_certificate(s
, wst
);
1156 case TLS_ST_CR_CERT_VRFY
:
1157 case TLS_ST_CR_CERT_REQ
:
1158 return tls_prepare_client_certificate(s
, wst
);
1162 CON_FUNC_RETURN
tls_construct_client_hello(SSL_CONNECTION
*s
, WPACKET
*pkt
)
1167 #ifndef OPENSSL_NO_COMP
1170 SSL_SESSION
*sess
= s
->session
;
1171 unsigned char *session_id
;
1172 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
1174 /* Work out what SSL/TLS/DTLS version to use */
1175 protverr
= ssl_set_client_hello_version(s
);
1176 if (protverr
!= 0) {
1177 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, protverr
);
1178 return CON_FUNC_ERROR
;
1182 || !ssl_version_supported(s
, sess
->ssl_version
, NULL
)
1183 || !SSL_SESSION_is_resumable(sess
)) {
1184 if (s
->hello_retry_request
== SSL_HRR_NONE
1185 && !ssl_get_new_session(s
, 0)) {
1186 /* SSLfatal() already called */
1187 return CON_FUNC_ERROR
;
1190 /* else use the pre-loaded session */
1192 p
= s
->s3
.client_random
;
1195 * for DTLS if client_random is initialized, reuse it, we are
1196 * required to use same upon reply to HelloVerify
1198 if (SSL_CONNECTION_IS_DTLS(s
)) {
1201 for (idx
= 0; idx
< sizeof(s
->s3
.client_random
); idx
++) {
1208 i
= (s
->hello_retry_request
== SSL_HRR_NONE
);
1211 if (i
&& ssl_fill_hello_random(s
, 0, p
, sizeof(s
->s3
.client_random
),
1212 DOWNGRADE_NONE
) <= 0) {
1213 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1214 return CON_FUNC_ERROR
;
1218 * version indicates the negotiated version: for example from
1219 * an SSLv2/v3 compatible client hello). The client_version
1220 * field is the maximum version we permit and it is also
1221 * used in RSA encrypted premaster secrets. Some servers can
1222 * choke if we initially report a higher version then
1223 * renegotiate to a lower one in the premaster secret. This
1224 * didn't happen with TLS 1.0 as most servers supported it
1225 * but it can with TLS 1.1 or later if the server only supports
1228 * Possible scenario with previous logic:
1229 * 1. Client hello indicates TLS 1.2
1230 * 2. Server hello says TLS 1.0
1231 * 3. RSA encrypted premaster secret uses 1.2.
1232 * 4. Handshake proceeds using TLS 1.0.
1233 * 5. Server sends hello request to renegotiate.
1234 * 6. Client hello indicates TLS v1.0 as we now
1235 * know that is maximum server supports.
1236 * 7. Server chokes on RSA encrypted premaster secret
1237 * containing version 1.0.
1239 * For interoperability it should be OK to always use the
1240 * maximum version we support in client hello and then rely
1241 * on the checking of version to ensure the servers isn't
1242 * being inconsistent: for example initially negotiating with
1243 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1244 * client_version in client hello and not resetting it to
1245 * the negotiated version.
1247 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
1248 * supported_versions extension for the real supported versions.
1250 if (!WPACKET_put_bytes_u16(pkt
, s
->client_version
)
1251 || !WPACKET_memcpy(pkt
, s
->s3
.client_random
, SSL3_RANDOM_SIZE
)) {
1252 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1253 return CON_FUNC_ERROR
;
1257 session_id
= s
->session
->session_id
;
1258 if (s
->new_session
|| s
->session
->ssl_version
== TLS1_3_VERSION
) {
1259 if (s
->version
== TLS1_3_VERSION
1260 && (s
->options
& SSL_OP_ENABLE_MIDDLEBOX_COMPAT
) != 0) {
1261 sess_id_len
= sizeof(s
->tmp_session_id
);
1262 s
->tmp_session_id_len
= sess_id_len
;
1263 session_id
= s
->tmp_session_id
;
1264 if (s
->hello_retry_request
== SSL_HRR_NONE
1265 && RAND_bytes_ex(sctx
->libctx
, s
->tmp_session_id
,
1266 sess_id_len
, 0) <= 0) {
1267 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1268 return CON_FUNC_ERROR
;
1274 assert(s
->session
->session_id_length
<= sizeof(s
->session
->session_id
));
1275 sess_id_len
= s
->session
->session_id_length
;
1276 if (s
->version
== TLS1_3_VERSION
) {
1277 s
->tmp_session_id_len
= sess_id_len
;
1278 memcpy(s
->tmp_session_id
, s
->session
->session_id
, sess_id_len
);
1281 if (!WPACKET_start_sub_packet_u8(pkt
)
1282 || (sess_id_len
!= 0 && !WPACKET_memcpy(pkt
, session_id
,
1284 || !WPACKET_close(pkt
)) {
1285 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1286 return CON_FUNC_ERROR
;
1289 /* cookie stuff for DTLS */
1290 if (SSL_CONNECTION_IS_DTLS(s
)) {
1291 if (s
->d1
->cookie_len
> sizeof(s
->d1
->cookie
)
1292 || !WPACKET_sub_memcpy_u8(pkt
, s
->d1
->cookie
,
1293 s
->d1
->cookie_len
)) {
1294 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1295 return CON_FUNC_ERROR
;
1299 /* Ciphers supported */
1300 if (!WPACKET_start_sub_packet_u16(pkt
)) {
1301 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1302 return CON_FUNC_ERROR
;
1305 if (!ssl_cipher_list_to_bytes(s
, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s
)),
1307 /* SSLfatal() already called */
1308 return CON_FUNC_ERROR
;
1310 if (!WPACKET_close(pkt
)) {
1311 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1312 return CON_FUNC_ERROR
;
1316 if (!WPACKET_start_sub_packet_u8(pkt
)) {
1317 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1318 return CON_FUNC_ERROR
;
1320 #ifndef OPENSSL_NO_COMP
1321 if (ssl_allow_compression(s
)
1322 && sctx
->comp_methods
1323 && (SSL_CONNECTION_IS_DTLS(s
)
1324 || s
->s3
.tmp
.max_ver
< TLS1_3_VERSION
)) {
1325 int compnum
= sk_SSL_COMP_num(sctx
->comp_methods
);
1326 for (i
= 0; i
< compnum
; i
++) {
1327 comp
= sk_SSL_COMP_value(sctx
->comp_methods
, i
);
1328 if (!WPACKET_put_bytes_u8(pkt
, comp
->id
)) {
1329 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1330 return CON_FUNC_ERROR
;
1335 /* Add the NULL method */
1336 if (!WPACKET_put_bytes_u8(pkt
, 0) || !WPACKET_close(pkt
)) {
1337 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1338 return CON_FUNC_ERROR
;
1341 /* TLS extensions */
1342 if (!tls_construct_extensions(s
, pkt
, SSL_EXT_CLIENT_HELLO
, NULL
, 0)) {
1343 /* SSLfatal() already called */
1344 return CON_FUNC_ERROR
;
1347 return CON_FUNC_SUCCESS
;
1350 MSG_PROCESS_RETURN
dtls_process_hello_verify(SSL_CONNECTION
*s
, PACKET
*pkt
)
1355 if (!PACKET_forward(pkt
, 2)
1356 || !PACKET_get_length_prefixed_1(pkt
, &cookiepkt
)) {
1357 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1358 return MSG_PROCESS_ERROR
;
1361 cookie_len
= PACKET_remaining(&cookiepkt
);
1362 if (cookie_len
> sizeof(s
->d1
->cookie
)) {
1363 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_LENGTH_TOO_LONG
);
1364 return MSG_PROCESS_ERROR
;
1367 if (!PACKET_copy_bytes(&cookiepkt
, s
->d1
->cookie
, cookie_len
)) {
1368 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1369 return MSG_PROCESS_ERROR
;
1371 s
->d1
->cookie_len
= cookie_len
;
1373 return MSG_PROCESS_FINISHED_READING
;
1376 static int set_client_ciphersuite(SSL_CONNECTION
*s
,
1377 const unsigned char *cipherchars
)
1379 STACK_OF(SSL_CIPHER
) *sk
;
1380 const SSL_CIPHER
*c
;
1382 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
1384 c
= ssl_get_cipher_by_char(s
, cipherchars
, 0);
1386 /* unknown cipher */
1387 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_UNKNOWN_CIPHER_RETURNED
);
1391 * If it is a disabled cipher we either didn't send it in client hello,
1392 * or it's not allowed for the selected protocol. So we return an error.
1394 if (ssl_cipher_disabled(s
, c
, SSL_SECOP_CIPHER_CHECK
, 1)) {
1395 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CIPHER_RETURNED
);
1399 sk
= ssl_get_ciphers_by_id(s
);
1400 i
= sk_SSL_CIPHER_find(sk
, c
);
1402 /* we did not say we would use this cipher */
1403 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CIPHER_RETURNED
);
1407 if (SSL_CONNECTION_IS_TLS13(s
) && s
->s3
.tmp
.new_cipher
!= NULL
1408 && s
->s3
.tmp
.new_cipher
->id
!= c
->id
) {
1409 /* ServerHello selected a different ciphersuite to that in the HRR */
1410 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CIPHER_RETURNED
);
1415 * Depending on the session caching (internal/external), the cipher
1416 * and/or cipher_id values may not be set. Make sure that cipher_id is
1417 * set and use it for comparison.
1419 if (s
->session
->cipher
!= NULL
)
1420 s
->session
->cipher_id
= s
->session
->cipher
->id
;
1421 if (s
->hit
&& (s
->session
->cipher_id
!= c
->id
)) {
1422 if (SSL_CONNECTION_IS_TLS13(s
)) {
1423 const EVP_MD
*md
= ssl_md(sctx
, c
->algorithm2
);
1426 * In TLSv1.3 it is valid for the server to select a different
1427 * ciphersuite as long as the hash is the same.
1430 || md
!= ssl_md(sctx
, s
->session
->cipher
->algorithm2
)) {
1431 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1432 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED
);
1437 * Prior to TLSv1.3 resuming a session always meant using the same
1440 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1441 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
);
1445 s
->s3
.tmp
.new_cipher
= c
;
1450 MSG_PROCESS_RETURN
tls_process_server_hello(SSL_CONNECTION
*s
, PACKET
*pkt
)
1452 PACKET session_id
, extpkt
;
1453 size_t session_id_len
;
1454 const unsigned char *cipherchars
;
1456 unsigned int compression
;
1457 unsigned int sversion
;
1458 unsigned int context
;
1459 RAW_EXTENSION
*extensions
= NULL
;
1460 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
1461 #ifndef OPENSSL_NO_COMP
1465 if (!PACKET_get_net_2(pkt
, &sversion
)) {
1466 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1470 /* load the server random */
1471 if (s
->version
== TLS1_3_VERSION
1472 && sversion
== TLS1_2_VERSION
1473 && PACKET_remaining(pkt
) >= SSL3_RANDOM_SIZE
1474 && memcmp(hrrrandom
, PACKET_data(pkt
), SSL3_RANDOM_SIZE
) == 0) {
1475 if (s
->hello_retry_request
!= SSL_HRR_NONE
) {
1476 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_UNEXPECTED_MESSAGE
);
1479 s
->hello_retry_request
= SSL_HRR_PENDING
;
1480 /* Tell the record layer that we know we're going to get TLSv1.3 */
1481 if (!ssl_set_record_protocol_version(s
, s
->version
)) {
1482 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1486 if (!PACKET_forward(pkt
, SSL3_RANDOM_SIZE
)) {
1487 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1491 if (!PACKET_copy_bytes(pkt
, s
->s3
.server_random
, SSL3_RANDOM_SIZE
)) {
1492 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1497 /* Get the session-id. */
1498 if (!PACKET_get_length_prefixed_1(pkt
, &session_id
)) {
1499 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1502 session_id_len
= PACKET_remaining(&session_id
);
1503 if (session_id_len
> sizeof(s
->session
->session_id
)
1504 || session_id_len
> SSL3_SESSION_ID_SIZE
) {
1505 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_SSL3_SESSION_ID_TOO_LONG
);
1509 if (!PACKET_get_bytes(pkt
, &cipherchars
, TLS_CIPHER_LEN
)) {
1510 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1514 if (!PACKET_get_1(pkt
, &compression
)) {
1515 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1519 /* TLS extensions */
1520 if (PACKET_remaining(pkt
) == 0 && !hrr
) {
1521 PACKET_null_init(&extpkt
);
1522 } else if (!PACKET_as_length_prefixed_2(pkt
, &extpkt
)
1523 || PACKET_remaining(pkt
) != 0) {
1524 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_BAD_LENGTH
);
1529 if (!tls_collect_extensions(s
, &extpkt
,
1530 SSL_EXT_TLS1_2_SERVER_HELLO
1531 | SSL_EXT_TLS1_3_SERVER_HELLO
,
1532 &extensions
, NULL
, 1)) {
1533 /* SSLfatal() already called */
1537 if (!ssl_choose_client_version(s
, sversion
, extensions
)) {
1538 /* SSLfatal() already called */
1543 if (SSL_CONNECTION_IS_TLS13(s
) || hrr
) {
1544 if (compression
!= 0) {
1545 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1546 SSL_R_INVALID_COMPRESSION_ALGORITHM
);
1550 if (session_id_len
!= s
->tmp_session_id_len
1551 || memcmp(PACKET_data(&session_id
), s
->tmp_session_id
,
1552 session_id_len
) != 0) {
1553 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_INVALID_SESSION_ID
);
1559 if (!set_client_ciphersuite(s
, cipherchars
)) {
1560 /* SSLfatal() already called */
1564 return tls_process_as_hello_retry_request(s
, &extpkt
);
1568 * Now we have chosen the version we need to check again that the extensions
1569 * are appropriate for this version.
1571 context
= SSL_CONNECTION_IS_TLS13(s
) ? SSL_EXT_TLS1_3_SERVER_HELLO
1572 : SSL_EXT_TLS1_2_SERVER_HELLO
;
1573 if (!tls_validate_all_contexts(s
, context
, extensions
)) {
1574 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_BAD_EXTENSION
);
1580 if (SSL_CONNECTION_IS_TLS13(s
)) {
1582 * In TLSv1.3 a ServerHello message signals a key change so the end of
1583 * the message must be on a record boundary.
1585 if (RECORD_LAYER_processed_read_pending(&s
->rlayer
)) {
1586 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
,
1587 SSL_R_NOT_ON_RECORD_BOUNDARY
);
1591 /* This will set s->hit if we are resuming */
1592 if (!tls_parse_extension(s
, TLSEXT_IDX_psk
,
1593 SSL_EXT_TLS1_3_SERVER_HELLO
,
1594 extensions
, NULL
, 0)) {
1595 /* SSLfatal() already called */
1600 * Check if we can resume the session based on external pre-shared
1601 * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1602 * Resumption based on server-side state works with session IDs.
1603 * Resumption based on pre-shared Protected Access Credentials (PACs)
1604 * works by overriding the SessionTicket extension at the application
1605 * layer, and does not send a session ID. (We do not know whether
1606 * EAP-FAST servers would honour the session ID.) Therefore, the session
1607 * ID alone is not a reliable indicator of session resumption, so we
1608 * first check if we can resume, and later peek at the next handshake
1609 * message to see if the server wants to resume.
1611 if (s
->version
>= TLS1_VERSION
1612 && s
->ext
.session_secret_cb
!= NULL
&& s
->session
->ext
.tick
) {
1613 const SSL_CIPHER
*pref_cipher
= NULL
;
1615 * s->session->master_key_length is a size_t, but this is an int for
1616 * backwards compat reasons
1618 int master_key_length
;
1620 master_key_length
= sizeof(s
->session
->master_key
);
1621 if (s
->ext
.session_secret_cb(ssl
, s
->session
->master_key
,
1624 s
->ext
.session_secret_cb_arg
)
1625 && master_key_length
> 0) {
1626 s
->session
->master_key_length
= master_key_length
;
1627 s
->session
->cipher
= pref_cipher
?
1628 pref_cipher
: ssl_get_cipher_by_char(s
, cipherchars
, 0);
1630 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1635 if (session_id_len
!= 0
1636 && session_id_len
== s
->session
->session_id_length
1637 && memcmp(PACKET_data(&session_id
), s
->session
->session_id
,
1638 session_id_len
) == 0)
1643 if (s
->sid_ctx_length
!= s
->session
->sid_ctx_length
1644 || memcmp(s
->session
->sid_ctx
, s
->sid_ctx
, s
->sid_ctx_length
)) {
1645 /* actually a client application bug */
1646 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1647 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
);
1652 * If we were trying for session-id reuse but the server
1653 * didn't resume, make a new SSL_SESSION.
1654 * In the case of EAP-FAST and PAC, we do not send a session ID,
1655 * so the PAC-based session secret is always preserved. It'll be
1656 * overwritten if the server refuses resumption.
1658 if (s
->session
->session_id_length
> 0) {
1659 ssl_tsan_counter(s
->session_ctx
, &s
->session_ctx
->stats
.sess_miss
);
1660 if (!ssl_get_new_session(s
, 0)) {
1661 /* SSLfatal() already called */
1666 s
->session
->ssl_version
= s
->version
;
1668 * In TLSv1.2 and below we save the session id we were sent so we can
1669 * resume it later. In TLSv1.3 the session id we were sent is just an
1670 * echo of what we originally sent in the ClientHello and should not be
1671 * used for resumption.
1673 if (!SSL_CONNECTION_IS_TLS13(s
)) {
1674 s
->session
->session_id_length
= session_id_len
;
1675 /* session_id_len could be 0 */
1676 if (session_id_len
> 0)
1677 memcpy(s
->session
->session_id
, PACKET_data(&session_id
),
1682 /* Session version and negotiated protocol version should match */
1683 if (s
->version
!= s
->session
->ssl_version
) {
1684 SSLfatal(s
, SSL_AD_PROTOCOL_VERSION
,
1685 SSL_R_SSL_SESSION_VERSION_MISMATCH
);
1689 * Now that we know the version, update the check to see if it's an allowed
1692 s
->s3
.tmp
.min_ver
= s
->version
;
1693 s
->s3
.tmp
.max_ver
= s
->version
;
1695 if (!set_client_ciphersuite(s
, cipherchars
)) {
1696 /* SSLfatal() already called */
1700 #ifdef OPENSSL_NO_COMP
1701 if (compression
!= 0) {
1702 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1703 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
);
1707 * If compression is disabled we'd better not try to resume a session
1708 * using compression.
1710 if (s
->session
->compress_meth
!= 0) {
1711 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_INCONSISTENT_COMPRESSION
);
1715 if (s
->hit
&& compression
!= s
->session
->compress_meth
) {
1716 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1717 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED
);
1720 if (compression
== 0)
1722 else if (!ssl_allow_compression(s
)) {
1723 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_COMPRESSION_DISABLED
);
1726 comp
= ssl3_comp_find(SSL_CONNECTION_GET_CTX(s
)->comp_methods
,
1730 if (compression
!= 0 && comp
== NULL
) {
1731 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
,
1732 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
);
1735 s
->s3
.tmp
.new_compression
= comp
;
1739 if (!tls_parse_all_extensions(s
, context
, extensions
, NULL
, 0, 1)) {
1740 /* SSLfatal() already called */
1744 #ifndef OPENSSL_NO_SCTP
1745 if (SSL_CONNECTION_IS_DTLS(s
) && s
->hit
) {
1746 unsigned char sctpauthkey
[64];
1747 char labelbuffer
[sizeof(DTLS1_SCTP_AUTH_LABEL
)];
1751 * Add new shared key for SCTP-Auth, will be ignored if
1754 memcpy(labelbuffer
, DTLS1_SCTP_AUTH_LABEL
,
1755 sizeof(DTLS1_SCTP_AUTH_LABEL
));
1757 /* Don't include the terminating zero. */
1758 labellen
= sizeof(labelbuffer
) - 1;
1759 if (s
->mode
& SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG
)
1762 if (SSL_export_keying_material(ssl
, sctpauthkey
,
1763 sizeof(sctpauthkey
),
1765 labellen
, NULL
, 0, 0) <= 0) {
1766 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
1770 BIO_ctrl(SSL_get_wbio(ssl
),
1771 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY
,
1772 sizeof(sctpauthkey
), sctpauthkey
);
1777 * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1778 * we're done with this message
1780 if (SSL_CONNECTION_IS_TLS13(s
)
1781 && (!ssl
->method
->ssl3_enc
->setup_key_block(s
)
1782 || !ssl
->method
->ssl3_enc
->change_cipher_state(s
,
1783 SSL3_CC_HANDSHAKE
| SSL3_CHANGE_CIPHER_CLIENT_READ
))) {
1784 /* SSLfatal() already called */
1788 OPENSSL_free(extensions
);
1789 return MSG_PROCESS_CONTINUE_READING
;
1791 OPENSSL_free(extensions
);
1792 return MSG_PROCESS_ERROR
;
1795 static MSG_PROCESS_RETURN
tls_process_as_hello_retry_request(SSL_CONNECTION
*s
,
1798 RAW_EXTENSION
*extensions
= NULL
;
1801 * If we were sending early_data then any alerts should not be sent using
1802 * the old wrlmethod.
1804 if (s
->early_data_state
== SSL_EARLY_DATA_FINISHED_WRITING
1805 && !ssl_set_new_record_layer(s
,
1807 OSSL_RECORD_DIRECTION_WRITE
,
1808 OSSL_RECORD_PROTECTION_LEVEL_NONE
,
1809 NULL
, 0, NULL
, 0, NULL
, 0, NULL
, 0,
1810 NULL
, 0, NID_undef
, NULL
, NULL
, NULL
)) {
1811 /* SSLfatal already called */
1814 /* We are definitely going to be using TLSv1.3 */
1815 s
->rlayer
.wrlmethod
->set_protocol_version(s
->rlayer
.wrl
, TLS1_3_VERSION
);
1817 if (!tls_collect_extensions(s
, extpkt
, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
,
1818 &extensions
, NULL
, 1)
1819 || !tls_parse_all_extensions(s
, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
,
1820 extensions
, NULL
, 0, 1)) {
1821 /* SSLfatal() already called */
1825 OPENSSL_free(extensions
);
1828 if (s
->ext
.tls13_cookie_len
== 0 && s
->s3
.tmp
.pkey
!= NULL
) {
1830 * We didn't receive a cookie or a new key_share so the next
1831 * ClientHello will not change
1833 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_NO_CHANGE_FOLLOWING_HRR
);
1838 * Re-initialise the Transcript Hash. We're going to prepopulate it with
1839 * a synthetic message_hash in place of ClientHello1.
1841 if (!create_synthetic_message_hash(s
, NULL
, 0, NULL
, 0)) {
1842 /* SSLfatal() already called */
1847 * Add this message to the Transcript Hash. Normally this is done
1848 * automatically prior to the message processing stage. However due to the
1849 * need to create the synthetic message hash, we defer that step until now
1852 if (!ssl3_finish_mac(s
, (unsigned char *)s
->init_buf
->data
,
1853 s
->init_num
+ SSL3_HM_HEADER_LENGTH
)) {
1854 /* SSLfatal() already called */
1858 return MSG_PROCESS_FINISHED_READING
;
1860 OPENSSL_free(extensions
);
1861 return MSG_PROCESS_ERROR
;
1864 MSG_PROCESS_RETURN
tls_process_server_rpk(SSL_CONNECTION
*sc
, PACKET
*pkt
)
1868 if (!tls_process_rpk(sc
, pkt
, &peer_rpk
)) {
1869 /* SSLfatal() already called */
1870 return MSG_PROCESS_ERROR
;
1873 if (peer_rpk
== NULL
) {
1874 SSLfatal(sc
, SSL_AD_DECODE_ERROR
, SSL_R_BAD_CERTIFICATE
);
1875 return MSG_PROCESS_ERROR
;
1878 EVP_PKEY_free(sc
->session
->peer_rpk
);
1879 sc
->session
->peer_rpk
= peer_rpk
;
1881 return MSG_PROCESS_CONTINUE_PROCESSING
;
1884 static WORK_STATE
tls_post_process_server_rpk(SSL_CONNECTION
*sc
,
1888 const SSL_CERT_LOOKUP
*clu
;
1890 if (sc
->session
->peer_rpk
== NULL
) {
1891 SSLfatal(sc
, SSL_AD_ILLEGAL_PARAMETER
,
1892 SSL_R_INVALID_RAW_PUBLIC_KEY
);
1896 if (sc
->rwstate
== SSL_RETRY_VERIFY
)
1897 sc
->rwstate
= SSL_NOTHING
;
1898 if (ssl_verify_rpk(sc
, sc
->session
->peer_rpk
) > 0
1899 && sc
->rwstate
== SSL_RETRY_VERIFY
)
1902 if ((clu
= ssl_cert_lookup_by_pkey(sc
->session
->peer_rpk
, &certidx
,
1903 SSL_CONNECTION_GET_CTX(sc
))) == NULL
) {
1904 SSLfatal(sc
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_UNKNOWN_CERTIFICATE_TYPE
);
1909 * Check certificate type is consistent with ciphersuite. For TLS 1.3
1910 * skip check since TLS 1.3 ciphersuites can be used with any certificate
1913 if (!SSL_CONNECTION_IS_TLS13(sc
)) {
1914 if ((clu
->amask
& sc
->s3
.tmp
.new_cipher
->algorithm_auth
) == 0) {
1915 SSLfatal(sc
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_RPK_TYPE
);
1920 /* Ensure there is no peer/peer_chain */
1921 X509_free(sc
->session
->peer
);
1922 sc
->session
->peer
= NULL
;
1923 sk_X509_pop_free(sc
->session
->peer_chain
, X509_free
);
1924 sc
->session
->peer_chain
= NULL
;
1925 sc
->session
->verify_result
= sc
->verify_result
;
1927 /* Save the current hash state for when we receive the CertificateVerify */
1928 if (SSL_CONNECTION_IS_TLS13(sc
)
1929 && !ssl_handshake_hash(sc
, sc
->cert_verify_hash
,
1930 sizeof(sc
->cert_verify_hash
),
1931 &sc
->cert_verify_hash_len
)) {
1932 /* SSLfatal() already called */
1936 return WORK_FINISHED_CONTINUE
;
1939 /* prepare server cert verification by setting s->session->peer_chain from pkt */
1940 MSG_PROCESS_RETURN
tls_process_server_certificate(SSL_CONNECTION
*s
,
1943 unsigned long cert_list_len
, cert_len
;
1945 const unsigned char *certstart
, *certbytes
;
1947 unsigned int context
= 0;
1948 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
1950 if (s
->ext
.server_cert_type
== TLSEXT_cert_type_rpk
)
1951 return tls_process_server_rpk(s
, pkt
);
1952 if (s
->ext
.server_cert_type
!= TLSEXT_cert_type_x509
) {
1953 SSLfatal(s
, SSL_AD_UNSUPPORTED_CERTIFICATE
,
1954 SSL_R_UNKNOWN_CERTIFICATE_TYPE
);
1958 if ((s
->session
->peer_chain
= sk_X509_new_null()) == NULL
) {
1959 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
1963 if ((SSL_CONNECTION_IS_TLS13(s
) && !PACKET_get_1(pkt
, &context
))
1965 || !PACKET_get_net_3(pkt
, &cert_list_len
)
1966 || PACKET_remaining(pkt
) != cert_list_len
1967 || PACKET_remaining(pkt
) == 0) {
1968 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
1971 for (chainidx
= 0; PACKET_remaining(pkt
); chainidx
++) {
1972 if (!PACKET_get_net_3(pkt
, &cert_len
)
1973 || !PACKET_get_bytes(pkt
, &certbytes
, cert_len
)) {
1974 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_CERT_LENGTH_MISMATCH
);
1978 certstart
= certbytes
;
1979 x
= X509_new_ex(sctx
->libctx
, sctx
->propq
);
1981 SSLfatal(s
, SSL_AD_DECODE_ERROR
, ERR_R_ASN1_LIB
);
1984 if (d2i_X509(&x
, (const unsigned char **)&certbytes
,
1985 cert_len
) == NULL
) {
1986 SSLfatal(s
, SSL_AD_BAD_CERTIFICATE
, ERR_R_ASN1_LIB
);
1990 if (certbytes
!= (certstart
+ cert_len
)) {
1991 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_CERT_LENGTH_MISMATCH
);
1995 if (SSL_CONNECTION_IS_TLS13(s
)) {
1996 RAW_EXTENSION
*rawexts
= NULL
;
1999 if (!PACKET_get_length_prefixed_2(pkt
, &extensions
)) {
2000 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_BAD_LENGTH
);
2003 if (!tls_collect_extensions(s
, &extensions
,
2004 SSL_EXT_TLS1_3_CERTIFICATE
, &rawexts
,
2005 NULL
, chainidx
== 0)
2006 || !tls_parse_all_extensions(s
, SSL_EXT_TLS1_3_CERTIFICATE
,
2007 rawexts
, x
, chainidx
,
2008 PACKET_remaining(pkt
) == 0)) {
2009 OPENSSL_free(rawexts
);
2010 /* SSLfatal already called */
2013 OPENSSL_free(rawexts
);
2016 if (!sk_X509_push(s
->session
->peer_chain
, x
)) {
2017 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
2022 return MSG_PROCESS_CONTINUE_PROCESSING
;
2026 OSSL_STACK_OF_X509_free(s
->session
->peer_chain
);
2027 s
->session
->peer_chain
= NULL
;
2028 return MSG_PROCESS_ERROR
;
2032 * Verify the s->session->peer_chain and check server cert type.
2033 * On success set s->session->peer and s->session->verify_result.
2034 * Else the peer certificate verification callback may request retry.
2036 WORK_STATE
tls_post_process_server_certificate(SSL_CONNECTION
*s
,
2040 EVP_PKEY
*pkey
= NULL
;
2041 const SSL_CERT_LOOKUP
*clu
;
2045 if (s
->ext
.server_cert_type
== TLSEXT_cert_type_rpk
)
2046 return tls_post_process_server_rpk(s
, wst
);
2048 if (s
->rwstate
== SSL_RETRY_VERIFY
)
2049 s
->rwstate
= SSL_NOTHING
;
2050 i
= ssl_verify_cert_chain(s
, s
->session
->peer_chain
);
2051 if (i
> 0 && s
->rwstate
== SSL_RETRY_VERIFY
) {
2055 * The documented interface is that SSL_VERIFY_PEER should be set in order
2056 * for client side verification of the server certificate to take place.
2057 * However, historically the code has only checked that *any* flag is set
2058 * to cause server verification to take place. Use of the other flags makes
2059 * no sense in client mode. An attempt to clean up the semantics was
2060 * reverted because at least one application *only* set
2061 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
2062 * server verification to take place, after the clean up it silently did
2063 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
2064 * sent to them because they are void functions. Therefore, we now use the
2065 * (less clean) historic behaviour of performing validation if any flag is
2066 * set. The *documented* interface remains the same.
2068 if (s
->verify_mode
!= SSL_VERIFY_NONE
&& i
<= 0) {
2069 SSLfatal(s
, ssl_x509err2alert(s
->verify_result
),
2070 SSL_R_CERTIFICATE_VERIFY_FAILED
);
2073 ERR_clear_error(); /* but we keep s->verify_result */
2076 * Inconsistency alert: cert_chain does include the peer's certificate,
2077 * which we don't include in statem_srvr.c
2079 x
= sk_X509_value(s
->session
->peer_chain
, 0);
2081 pkey
= X509_get0_pubkey(x
);
2083 if (pkey
== NULL
|| EVP_PKEY_missing_parameters(pkey
)) {
2084 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2085 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS
);
2089 if ((clu
= ssl_cert_lookup_by_pkey(pkey
, &certidx
,
2090 SSL_CONNECTION_GET_CTX(s
))) == NULL
) {
2091 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_UNKNOWN_CERTIFICATE_TYPE
);
2095 * Check certificate type is consistent with ciphersuite. For TLS 1.3
2096 * skip check since TLS 1.3 ciphersuites can be used with any certificate
2099 if (!SSL_CONNECTION_IS_TLS13(s
)) {
2100 if ((clu
->amask
& s
->s3
.tmp
.new_cipher
->algorithm_auth
) == 0) {
2101 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CERTIFICATE_TYPE
);
2106 X509_free(s
->session
->peer
);
2108 s
->session
->peer
= x
;
2109 s
->session
->verify_result
= s
->verify_result
;
2110 /* Ensure there is no RPK */
2111 EVP_PKEY_free(s
->session
->peer_rpk
);
2112 s
->session
->peer_rpk
= NULL
;
2114 /* Save the current hash state for when we receive the CertificateVerify */
2115 if (SSL_CONNECTION_IS_TLS13(s
)
2116 && !ssl_handshake_hash(s
, s
->cert_verify_hash
,
2117 sizeof(s
->cert_verify_hash
),
2118 &s
->cert_verify_hash_len
)) {
2119 /* SSLfatal() already called */;
2122 return WORK_FINISHED_CONTINUE
;
2125 #ifndef OPENSSL_NO_COMP_ALG
2126 MSG_PROCESS_RETURN
tls_process_server_compressed_certificate(SSL_CONNECTION
*sc
, PACKET
*pkt
)
2128 MSG_PROCESS_RETURN ret
= MSG_PROCESS_ERROR
;
2130 BUF_MEM
*buf
= BUF_MEM_new();
2132 if (tls13_process_compressed_certificate(sc
, pkt
, &tmppkt
, buf
) != MSG_PROCESS_ERROR
)
2133 ret
= tls_process_server_certificate(sc
, &tmppkt
);
2140 static int tls_process_ske_psk_preamble(SSL_CONNECTION
*s
, PACKET
*pkt
)
2142 #ifndef OPENSSL_NO_PSK
2143 PACKET psk_identity_hint
;
2145 /* PSK ciphersuites are preceded by an identity hint */
2147 if (!PACKET_get_length_prefixed_2(pkt
, &psk_identity_hint
)) {
2148 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2153 * Store PSK identity hint for later use, hint is used in
2154 * tls_construct_client_key_exchange. Assume that the maximum length of
2155 * a PSK identity hint can be as long as the maximum length of a PSK
2158 if (PACKET_remaining(&psk_identity_hint
) > PSK_MAX_IDENTITY_LEN
) {
2159 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_DATA_LENGTH_TOO_LONG
);
2163 if (PACKET_remaining(&psk_identity_hint
) == 0) {
2164 OPENSSL_free(s
->session
->psk_identity_hint
);
2165 s
->session
->psk_identity_hint
= NULL
;
2166 } else if (!PACKET_strndup(&psk_identity_hint
,
2167 &s
->session
->psk_identity_hint
)) {
2168 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2174 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2179 static int tls_process_ske_srp(SSL_CONNECTION
*s
, PACKET
*pkt
, EVP_PKEY
**pkey
)
2181 #ifndef OPENSSL_NO_SRP
2182 PACKET prime
, generator
, salt
, server_pub
;
2184 if (!PACKET_get_length_prefixed_2(pkt
, &prime
)
2185 || !PACKET_get_length_prefixed_2(pkt
, &generator
)
2186 || !PACKET_get_length_prefixed_1(pkt
, &salt
)
2187 || !PACKET_get_length_prefixed_2(pkt
, &server_pub
)) {
2188 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2193 BN_bin2bn(PACKET_data(&prime
),
2194 (int)PACKET_remaining(&prime
), NULL
)) == NULL
2196 BN_bin2bn(PACKET_data(&generator
),
2197 (int)PACKET_remaining(&generator
), NULL
)) == NULL
2199 BN_bin2bn(PACKET_data(&salt
),
2200 (int)PACKET_remaining(&salt
), NULL
)) == NULL
2202 BN_bin2bn(PACKET_data(&server_pub
),
2203 (int)PACKET_remaining(&server_pub
), NULL
)) == NULL
) {
2204 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_BN_LIB
);
2208 if (!srp_verify_server_param(s
)) {
2209 /* SSLfatal() already called */
2213 /* We must check if there is a certificate */
2214 if (s
->s3
.tmp
.new_cipher
->algorithm_auth
& (SSL_aRSA
| SSL_aDSS
))
2215 *pkey
= tls_get_peer_pkey(s
);
2219 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2224 static int tls_process_ske_dhe(SSL_CONNECTION
*s
, PACKET
*pkt
, EVP_PKEY
**pkey
)
2226 PACKET prime
, generator
, pub_key
;
2227 EVP_PKEY
*peer_tmp
= NULL
;
2228 BIGNUM
*p
= NULL
, *g
= NULL
, *bnpub_key
= NULL
;
2229 EVP_PKEY_CTX
*pctx
= NULL
;
2230 OSSL_PARAM
*params
= NULL
;
2231 OSSL_PARAM_BLD
*tmpl
= NULL
;
2232 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
2235 if (!PACKET_get_length_prefixed_2(pkt
, &prime
)
2236 || !PACKET_get_length_prefixed_2(pkt
, &generator
)
2237 || !PACKET_get_length_prefixed_2(pkt
, &pub_key
)) {
2238 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2242 p
= BN_bin2bn(PACKET_data(&prime
), (int)PACKET_remaining(&prime
), NULL
);
2243 g
= BN_bin2bn(PACKET_data(&generator
), (int)PACKET_remaining(&generator
),
2245 bnpub_key
= BN_bin2bn(PACKET_data(&pub_key
),
2246 (int)PACKET_remaining(&pub_key
), NULL
);
2247 if (p
== NULL
|| g
== NULL
|| bnpub_key
== NULL
) {
2248 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_BN_LIB
);
2252 tmpl
= OSSL_PARAM_BLD_new();
2254 || !OSSL_PARAM_BLD_push_BN(tmpl
, OSSL_PKEY_PARAM_FFC_P
, p
)
2255 || !OSSL_PARAM_BLD_push_BN(tmpl
, OSSL_PKEY_PARAM_FFC_G
, g
)
2256 || !OSSL_PARAM_BLD_push_BN(tmpl
, OSSL_PKEY_PARAM_PUB_KEY
,
2258 || (params
= OSSL_PARAM_BLD_to_param(tmpl
)) == NULL
) {
2259 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2263 pctx
= EVP_PKEY_CTX_new_from_name(sctx
->libctx
, "DH", sctx
->propq
);
2265 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2268 if (EVP_PKEY_fromdata_init(pctx
) <= 0
2269 || EVP_PKEY_fromdata(pctx
, &peer_tmp
, EVP_PKEY_KEYPAIR
, params
) <= 0) {
2270 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_BAD_DH_VALUE
);
2274 EVP_PKEY_CTX_free(pctx
);
2275 pctx
= EVP_PKEY_CTX_new_from_pkey(sctx
->libctx
, peer_tmp
, sctx
->propq
);
2278 * EVP_PKEY_param_check() will verify that the DH params are using
2279 * a safe prime. In this context, because we're using ephemeral DH,
2280 * we're ok with it not being a safe prime.
2281 * EVP_PKEY_param_check_quick() skips the safe prime check.
2283 || EVP_PKEY_param_check_quick(pctx
) != 1
2284 || EVP_PKEY_public_check(pctx
) != 1) {
2285 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_BAD_DH_VALUE
);
2289 if (!ssl_security(s
, SSL_SECOP_TMP_DH
,
2290 EVP_PKEY_get_security_bits(peer_tmp
),
2292 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_DH_KEY_TOO_SMALL
);
2296 s
->s3
.peer_tmp
= peer_tmp
;
2300 * FIXME: This makes assumptions about which ciphersuites come with
2301 * public keys. We should have a less ad-hoc way of doing this
2303 if (s
->s3
.tmp
.new_cipher
->algorithm_auth
& (SSL_aRSA
| SSL_aDSS
))
2304 *pkey
= tls_get_peer_pkey(s
);
2305 /* else anonymous DH, so no certificate or pkey. */
2310 OSSL_PARAM_BLD_free(tmpl
);
2311 OSSL_PARAM_free(params
);
2312 EVP_PKEY_free(peer_tmp
);
2313 EVP_PKEY_CTX_free(pctx
);
2321 static int tls_process_ske_ecdhe(SSL_CONNECTION
*s
, PACKET
*pkt
, EVP_PKEY
**pkey
)
2324 unsigned int curve_type
, curve_id
;
2327 * Extract elliptic curve parameters and the server's ephemeral ECDH
2328 * public key. We only support named (not generic) curves and
2329 * ECParameters in this case is just three bytes.
2331 if (!PACKET_get_1(pkt
, &curve_type
) || !PACKET_get_net_2(pkt
, &curve_id
)) {
2332 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
2336 * Check curve is named curve type and one of our preferences, if not
2337 * server has sent an invalid curve.
2339 if (curve_type
!= NAMED_CURVE_TYPE
2340 || !tls1_check_group_id(s
, curve_id
, 1)) {
2341 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_WRONG_CURVE
);
2345 if ((s
->s3
.peer_tmp
= ssl_generate_param_group(s
, curve_id
)) == NULL
) {
2346 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2347 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS
);
2351 if (!PACKET_get_length_prefixed_1(pkt
, &encoded_pt
)) {
2352 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2356 if (EVP_PKEY_set1_encoded_public_key(s
->s3
.peer_tmp
,
2357 PACKET_data(&encoded_pt
),
2358 PACKET_remaining(&encoded_pt
)) <= 0) {
2359 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_BAD_ECPOINT
);
2364 * The ECC/TLS specification does not mention the use of DSA to sign
2365 * ECParameters in the server key exchange message. We do support RSA
2368 if (s
->s3
.tmp
.new_cipher
->algorithm_auth
& SSL_aECDSA
)
2369 *pkey
= tls_get_peer_pkey(s
);
2370 else if (s
->s3
.tmp
.new_cipher
->algorithm_auth
& SSL_aRSA
)
2371 *pkey
= tls_get_peer_pkey(s
);
2372 /* else anonymous ECDH, so no certificate or pkey. */
2374 /* Cache the agreed upon group in the SSL_SESSION */
2375 s
->session
->kex_group
= curve_id
;
2379 MSG_PROCESS_RETURN
tls_process_key_exchange(SSL_CONNECTION
*s
, PACKET
*pkt
)
2382 EVP_PKEY
*pkey
= NULL
;
2383 EVP_MD_CTX
*md_ctx
= NULL
;
2384 EVP_PKEY_CTX
*pctx
= NULL
;
2385 PACKET save_param_start
, signature
;
2386 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
2388 alg_k
= s
->s3
.tmp
.new_cipher
->algorithm_mkey
;
2390 save_param_start
= *pkt
;
2392 EVP_PKEY_free(s
->s3
.peer_tmp
);
2393 s
->s3
.peer_tmp
= NULL
;
2395 if (alg_k
& SSL_PSK
) {
2396 if (!tls_process_ske_psk_preamble(s
, pkt
)) {
2397 /* SSLfatal() already called */
2402 /* Nothing else to do for plain PSK or RSAPSK */
2403 if (alg_k
& (SSL_kPSK
| SSL_kRSAPSK
)) {
2404 } else if (alg_k
& SSL_kSRP
) {
2405 if (!tls_process_ske_srp(s
, pkt
, &pkey
)) {
2406 /* SSLfatal() already called */
2409 } else if (alg_k
& (SSL_kDHE
| SSL_kDHEPSK
)) {
2410 if (!tls_process_ske_dhe(s
, pkt
, &pkey
)) {
2411 /* SSLfatal() already called */
2414 } else if (alg_k
& (SSL_kECDHE
| SSL_kECDHEPSK
)) {
2415 if (!tls_process_ske_ecdhe(s
, pkt
, &pkey
)) {
2416 /* SSLfatal() already called */
2420 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_UNEXPECTED_MESSAGE
);
2424 /* if it was signed, check the signature */
2427 const EVP_MD
*md
= NULL
;
2433 * |pkt| now points to the beginning of the signature, so the difference
2434 * equals the length of the parameters.
2436 if (!PACKET_get_sub_packet(&save_param_start
, ¶ms
,
2437 PACKET_remaining(&save_param_start
) -
2438 PACKET_remaining(pkt
))) {
2439 SSLfatal(s
, SSL_AD_DECODE_ERROR
, ERR_R_INTERNAL_ERROR
);
2443 if (SSL_USE_SIGALGS(s
)) {
2444 unsigned int sigalg
;
2446 if (!PACKET_get_net_2(pkt
, &sigalg
)) {
2447 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_TOO_SHORT
);
2450 if (tls12_check_peer_sigalg(s
, sigalg
, pkey
) <=0) {
2451 /* SSLfatal() already called */
2454 } else if (!tls1_set_peer_legacy_sigalg(s
, pkey
)) {
2455 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2456 SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED
);
2460 if (!tls1_lookup_md(sctx
, s
->s3
.tmp
.peer_sigalg
, &md
)) {
2461 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2462 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM
);
2465 if (SSL_USE_SIGALGS(s
))
2466 OSSL_TRACE1(TLS
, "USING TLSv1.2 HASH %s\n",
2467 md
== NULL
? "n/a" : EVP_MD_get0_name(md
));
2469 if (!PACKET_get_length_prefixed_2(pkt
, &signature
)
2470 || PACKET_remaining(pkt
) != 0) {
2471 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2475 md_ctx
= EVP_MD_CTX_new();
2476 if (md_ctx
== NULL
) {
2477 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
2481 if (EVP_DigestVerifyInit_ex(md_ctx
, &pctx
,
2482 md
== NULL
? NULL
: EVP_MD_get0_name(md
),
2483 sctx
->libctx
, sctx
->propq
, pkey
,
2485 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
2488 if (SSL_USE_PSS(s
)) {
2489 if (EVP_PKEY_CTX_set_rsa_padding(pctx
, RSA_PKCS1_PSS_PADDING
) <= 0
2490 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx
,
2491 RSA_PSS_SALTLEN_DIGEST
) <= 0) {
2492 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
2496 tbslen
= construct_key_exchange_tbs(s
, &tbs
, PACKET_data(¶ms
),
2497 PACKET_remaining(¶ms
));
2499 /* SSLfatal() already called */
2503 rv
= EVP_DigestVerify(md_ctx
, PACKET_data(&signature
),
2504 PACKET_remaining(&signature
), tbs
, tbslen
);
2507 SSLfatal(s
, SSL_AD_DECRYPT_ERROR
, SSL_R_BAD_SIGNATURE
);
2510 EVP_MD_CTX_free(md_ctx
);
2513 /* aNULL, aSRP or PSK do not need public keys */
2514 if (!(s
->s3
.tmp
.new_cipher
->algorithm_auth
& (SSL_aNULL
| SSL_aSRP
))
2515 && !(alg_k
& SSL_PSK
)) {
2516 /* Might be wrong key type, check it */
2517 if (ssl3_check_cert_and_algorithm(s
)) {
2518 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_BAD_DATA
);
2520 /* else this shouldn't happen, SSLfatal() already called */
2523 /* still data left over */
2524 if (PACKET_remaining(pkt
) != 0) {
2525 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_EXTRA_DATA_IN_MESSAGE
);
2530 return MSG_PROCESS_CONTINUE_READING
;
2532 EVP_MD_CTX_free(md_ctx
);
2533 return MSG_PROCESS_ERROR
;
2536 MSG_PROCESS_RETURN
tls_process_certificate_request(SSL_CONNECTION
*s
,
2539 /* Clear certificate validity flags */
2540 if (s
->s3
.tmp
.valid_flags
!= NULL
)
2541 memset(s
->s3
.tmp
.valid_flags
, 0, s
->ssl_pkey_num
* sizeof(uint32_t));
2543 s
->s3
.tmp
.valid_flags
= OPENSSL_zalloc(s
->ssl_pkey_num
* sizeof(uint32_t));
2545 /* Give up for good if allocation didn't work */
2546 if (s
->s3
.tmp
.valid_flags
== NULL
)
2549 if (SSL_CONNECTION_IS_TLS13(s
)) {
2550 PACKET reqctx
, extensions
;
2551 RAW_EXTENSION
*rawexts
= NULL
;
2553 if ((s
->shutdown
& SSL_SENT_SHUTDOWN
) != 0) {
2555 * We already sent close_notify. This can only happen in TLSv1.3
2556 * post-handshake messages. We can't reasonably respond to this, so
2559 return MSG_PROCESS_FINISHED_READING
;
2562 /* Free and zero certificate types: it is not present in TLS 1.3 */
2563 OPENSSL_free(s
->s3
.tmp
.ctype
);
2564 s
->s3
.tmp
.ctype
= NULL
;
2565 s
->s3
.tmp
.ctype_len
= 0;
2566 OPENSSL_free(s
->pha_context
);
2567 s
->pha_context
= NULL
;
2568 s
->pha_context_len
= 0;
2570 if (!PACKET_get_length_prefixed_1(pkt
, &reqctx
) ||
2571 !PACKET_memdup(&reqctx
, &s
->pha_context
, &s
->pha_context_len
)) {
2572 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2573 return MSG_PROCESS_ERROR
;
2576 if (!PACKET_get_length_prefixed_2(pkt
, &extensions
)) {
2577 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_BAD_LENGTH
);
2578 return MSG_PROCESS_ERROR
;
2580 if (!tls_collect_extensions(s
, &extensions
,
2581 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
,
2583 || !tls_parse_all_extensions(s
, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
,
2584 rawexts
, NULL
, 0, 1)) {
2585 /* SSLfatal() already called */
2586 OPENSSL_free(rawexts
);
2587 return MSG_PROCESS_ERROR
;
2589 OPENSSL_free(rawexts
);
2590 if (!tls1_process_sigalgs(s
)) {
2591 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_BAD_LENGTH
);
2592 return MSG_PROCESS_ERROR
;
2597 /* get the certificate types */
2598 if (!PACKET_get_length_prefixed_1(pkt
, &ctypes
)) {
2599 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2600 return MSG_PROCESS_ERROR
;
2603 if (!PACKET_memdup(&ctypes
, &s
->s3
.tmp
.ctype
, &s
->s3
.tmp
.ctype_len
)) {
2604 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2605 return MSG_PROCESS_ERROR
;
2608 if (SSL_USE_SIGALGS(s
)) {
2611 if (!PACKET_get_length_prefixed_2(pkt
, &sigalgs
)) {
2612 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2613 return MSG_PROCESS_ERROR
;
2617 * Despite this being for certificates, preserve compatibility
2618 * with pre-TLS 1.3 and use the regular sigalgs field.
2620 if (!tls1_save_sigalgs(s
, &sigalgs
, 0)) {
2621 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2622 SSL_R_SIGNATURE_ALGORITHMS_ERROR
);
2623 return MSG_PROCESS_ERROR
;
2625 if (!tls1_process_sigalgs(s
)) {
2626 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_SSL_LIB
);
2627 return MSG_PROCESS_ERROR
;
2631 /* get the CA RDNs */
2632 if (!parse_ca_names(s
, pkt
)) {
2633 /* SSLfatal() already called */
2634 return MSG_PROCESS_ERROR
;
2638 if (PACKET_remaining(pkt
) != 0) {
2639 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2640 return MSG_PROCESS_ERROR
;
2643 /* we should setup a certificate to return.... */
2644 s
->s3
.tmp
.cert_req
= 1;
2647 * In TLSv1.3 we don't prepare the client certificate yet. We wait until
2648 * after the CertificateVerify message has been received. This is because
2649 * in TLSv1.3 the CertificateRequest arrives before the Certificate message
2650 * but in TLSv1.2 it is the other way around. We want to make sure that
2651 * SSL_get1_peer_certificate() returns something sensible in
2654 if (SSL_CONNECTION_IS_TLS13(s
)
2655 && s
->post_handshake_auth
!= SSL_PHA_REQUESTED
)
2656 return MSG_PROCESS_CONTINUE_READING
;
2658 return MSG_PROCESS_CONTINUE_PROCESSING
;
2661 MSG_PROCESS_RETURN
tls_process_new_session_ticket(SSL_CONNECTION
*s
,
2664 unsigned int ticklen
;
2665 unsigned long ticket_lifetime_hint
, age_add
= 0;
2666 unsigned int sess_len
;
2667 RAW_EXTENSION
*exts
= NULL
;
2669 EVP_MD
*sha256
= NULL
;
2670 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
2672 PACKET_null_init(&nonce
);
2674 if (!PACKET_get_net_4(pkt
, &ticket_lifetime_hint
)
2675 || (SSL_CONNECTION_IS_TLS13(s
)
2676 && (!PACKET_get_net_4(pkt
, &age_add
)
2677 || !PACKET_get_length_prefixed_1(pkt
, &nonce
)))
2678 || !PACKET_get_net_2(pkt
, &ticklen
)
2679 || (SSL_CONNECTION_IS_TLS13(s
) ? (ticklen
== 0
2680 || PACKET_remaining(pkt
) < ticklen
)
2681 : PACKET_remaining(pkt
) != ticklen
)) {
2682 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2687 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2688 * ticket. We already checked this TLSv1.3 case above, so it should never
2689 * be 0 here in that instance
2692 return MSG_PROCESS_CONTINUE_READING
;
2695 * Sessions must be immutable once they go into the session cache. Otherwise
2696 * we can get multi-thread problems. Therefore we don't "update" sessions,
2697 * we replace them with a duplicate. In TLSv1.3 we need to do this every
2698 * time a NewSessionTicket arrives because those messages arrive
2699 * post-handshake and the session may have already gone into the session
2702 if (SSL_CONNECTION_IS_TLS13(s
) || s
->session
->session_id_length
> 0) {
2703 SSL_SESSION
*new_sess
;
2706 * We reused an existing session, so we need to replace it with a new
2709 if ((new_sess
= ssl_session_dup(s
->session
, 0)) == 0) {
2710 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_SSL_LIB
);
2714 if ((s
->session_ctx
->session_cache_mode
& SSL_SESS_CACHE_CLIENT
) != 0
2715 && !SSL_CONNECTION_IS_TLS13(s
)) {
2717 * In TLSv1.2 and below the arrival of a new tickets signals that
2718 * any old ticket we were using is now out of date, so we remove the
2719 * old session from the cache. We carry on if this fails
2721 SSL_CTX_remove_session(s
->session_ctx
, s
->session
);
2724 SSL_SESSION_free(s
->session
);
2725 s
->session
= new_sess
;
2728 s
->session
->time
= ossl_time_now();
2729 ssl_session_calculate_timeout(s
->session
);
2731 OPENSSL_free(s
->session
->ext
.tick
);
2732 s
->session
->ext
.tick
= NULL
;
2733 s
->session
->ext
.ticklen
= 0;
2735 s
->session
->ext
.tick
= OPENSSL_malloc(ticklen
);
2736 if (s
->session
->ext
.tick
== NULL
) {
2737 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
2740 if (!PACKET_copy_bytes(pkt
, s
->session
->ext
.tick
, ticklen
)) {
2741 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2745 s
->session
->ext
.tick_lifetime_hint
= ticket_lifetime_hint
;
2746 s
->session
->ext
.tick_age_add
= age_add
;
2747 s
->session
->ext
.ticklen
= ticklen
;
2749 if (SSL_CONNECTION_IS_TLS13(s
)) {
2752 if (!PACKET_as_length_prefixed_2(pkt
, &extpkt
)
2753 || PACKET_remaining(pkt
) != 0) {
2754 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2758 if (!tls_collect_extensions(s
, &extpkt
,
2759 SSL_EXT_TLS1_3_NEW_SESSION_TICKET
, &exts
,
2761 || !tls_parse_all_extensions(s
,
2762 SSL_EXT_TLS1_3_NEW_SESSION_TICKET
,
2763 exts
, NULL
, 0, 1)) {
2764 /* SSLfatal() already called */
2770 * There are two ways to detect a resumed ticket session. One is to set
2771 * an appropriate session ID and then the server must return a match in
2772 * ServerHello. This allows the normal client session ID matching to work
2773 * and we know much earlier that the ticket has been accepted. The
2774 * other way is to set zero length session ID when the ticket is
2775 * presented and rely on the handshake to determine session resumption.
2776 * We choose the former approach because this fits in with assumptions
2777 * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
2780 sha256
= EVP_MD_fetch(sctx
->libctx
, "SHA2-256", sctx
->propq
);
2781 if (sha256
== NULL
) {
2782 /* Error is already recorded */
2783 SSLfatal_alert(s
, SSL_AD_INTERNAL_ERROR
);
2787 * We use sess_len here because EVP_Digest expects an int
2788 * but s->session->session_id_length is a size_t
2790 if (!EVP_Digest(s
->session
->ext
.tick
, ticklen
,
2791 s
->session
->session_id
, &sess_len
,
2793 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
2796 EVP_MD_free(sha256
);
2798 s
->session
->session_id_length
= sess_len
;
2799 s
->session
->not_resumable
= 0;
2801 /* This is a standalone message in TLSv1.3, so there is no more to read */
2802 if (SSL_CONNECTION_IS_TLS13(s
)) {
2803 const EVP_MD
*md
= ssl_handshake_md(s
);
2804 int hashleni
= EVP_MD_get_size(md
);
2806 static const unsigned char nonce_label
[] = "resumption";
2808 /* Ensure cast to size_t is safe */
2809 if (!ossl_assert(hashleni
>= 0)) {
2810 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
2813 hashlen
= (size_t)hashleni
;
2815 if (!tls13_hkdf_expand(s
, md
, s
->resumption_master_secret
,
2817 sizeof(nonce_label
) - 1,
2818 PACKET_data(&nonce
),
2819 PACKET_remaining(&nonce
),
2820 s
->session
->master_key
,
2822 /* SSLfatal() already called */
2825 s
->session
->master_key_length
= hashlen
;
2828 ssl_update_cache(s
, SSL_SESS_CACHE_CLIENT
);
2829 return MSG_PROCESS_FINISHED_READING
;
2832 return MSG_PROCESS_CONTINUE_READING
;
2834 EVP_MD_free(sha256
);
2836 return MSG_PROCESS_ERROR
;
2840 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2841 * parse a separate message. Returns 1 on success or 0 on failure
2843 int tls_process_cert_status_body(SSL_CONNECTION
*s
, PACKET
*pkt
)
2848 if (!PACKET_get_1(pkt
, &type
)
2849 || type
!= TLSEXT_STATUSTYPE_ocsp
) {
2850 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_UNSUPPORTED_STATUS_TYPE
);
2853 if (!PACKET_get_net_3_len(pkt
, &resplen
)
2854 || PACKET_remaining(pkt
) != resplen
) {
2855 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2858 s
->ext
.ocsp
.resp
= OPENSSL_malloc(resplen
);
2859 if (s
->ext
.ocsp
.resp
== NULL
) {
2860 s
->ext
.ocsp
.resp_len
= 0;
2861 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
2864 s
->ext
.ocsp
.resp_len
= resplen
;
2865 if (!PACKET_copy_bytes(pkt
, s
->ext
.ocsp
.resp
, resplen
)) {
2866 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2874 MSG_PROCESS_RETURN
tls_process_cert_status(SSL_CONNECTION
*s
, PACKET
*pkt
)
2876 if (!tls_process_cert_status_body(s
, pkt
)) {
2877 /* SSLfatal() already called */
2878 return MSG_PROCESS_ERROR
;
2881 return MSG_PROCESS_CONTINUE_READING
;
2885 * Perform miscellaneous checks and processing after we have received the
2886 * server's initial flight. In TLS1.3 this is after the Server Finished message.
2887 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2890 int tls_process_initial_server_flight(SSL_CONNECTION
*s
)
2892 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
2895 * at this point we check that we have the required stuff from
2898 if (!ssl3_check_cert_and_algorithm(s
)) {
2899 /* SSLfatal() already called */
2904 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2905 * |ext.ocsp.resp_len| values will be set if we actually received a status
2906 * message, or NULL and -1 otherwise
2908 if (s
->ext
.status_type
!= TLSEXT_STATUSTYPE_nothing
2909 && sctx
->ext
.status_cb
!= NULL
) {
2910 int ret
= sctx
->ext
.status_cb(SSL_CONNECTION_GET_SSL(s
),
2911 sctx
->ext
.status_arg
);
2914 SSLfatal(s
, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
,
2915 SSL_R_INVALID_STATUS_RESPONSE
);
2919 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
2920 SSL_R_OCSP_CALLBACK_FAILURE
);
2924 #ifndef OPENSSL_NO_CT
2925 if (s
->ct_validation_callback
!= NULL
) {
2926 /* Note we validate the SCTs whether or not we abort on error */
2927 if (!ssl_validate_ct(s
) && (s
->verify_mode
& SSL_VERIFY_PEER
)) {
2928 /* SSLfatal() already called */
2937 MSG_PROCESS_RETURN
tls_process_server_done(SSL_CONNECTION
*s
, PACKET
*pkt
)
2939 if (PACKET_remaining(pkt
) > 0) {
2940 /* should contain no data */
2941 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
2942 return MSG_PROCESS_ERROR
;
2944 #ifndef OPENSSL_NO_SRP
2945 if (s
->s3
.tmp
.new_cipher
->algorithm_mkey
& SSL_kSRP
) {
2946 if (ssl_srp_calc_a_param_intern(s
) <= 0) {
2947 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_SRP_A_CALC
);
2948 return MSG_PROCESS_ERROR
;
2953 if (!tls_process_initial_server_flight(s
)) {
2954 /* SSLfatal() already called */
2955 return MSG_PROCESS_ERROR
;
2958 return MSG_PROCESS_FINISHED_READING
;
2961 static int tls_construct_cke_psk_preamble(SSL_CONNECTION
*s
, WPACKET
*pkt
)
2963 #ifndef OPENSSL_NO_PSK
2966 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2967 * \0-terminated identity. The last byte is for us for simulating
2970 char identity
[PSK_MAX_IDENTITY_LEN
+ 1];
2971 size_t identitylen
= 0;
2972 unsigned char psk
[PSK_MAX_PSK_LEN
];
2973 unsigned char *tmppsk
= NULL
;
2974 char *tmpidentity
= NULL
;
2977 if (s
->psk_client_callback
== NULL
) {
2978 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_PSK_NO_CLIENT_CB
);
2982 memset(identity
, 0, sizeof(identity
));
2984 psklen
= s
->psk_client_callback(SSL_CONNECTION_GET_SSL(s
),
2985 s
->session
->psk_identity_hint
,
2986 identity
, sizeof(identity
) - 1,
2989 if (psklen
> PSK_MAX_PSK_LEN
) {
2990 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, ERR_R_INTERNAL_ERROR
);
2991 psklen
= PSK_MAX_PSK_LEN
; /* Avoid overrunning the array on cleanse */
2993 } else if (psklen
== 0) {
2994 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_PSK_IDENTITY_NOT_FOUND
);
2998 identitylen
= strlen(identity
);
2999 if (identitylen
> PSK_MAX_IDENTITY_LEN
) {
3000 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3004 tmppsk
= OPENSSL_memdup(psk
, psklen
);
3005 tmpidentity
= OPENSSL_strdup(identity
);
3006 if (tmppsk
== NULL
|| tmpidentity
== NULL
) {
3007 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
3011 OPENSSL_free(s
->s3
.tmp
.psk
);
3012 s
->s3
.tmp
.psk
= tmppsk
;
3013 s
->s3
.tmp
.psklen
= psklen
;
3015 OPENSSL_free(s
->session
->psk_identity
);
3016 s
->session
->psk_identity
= tmpidentity
;
3019 if (!WPACKET_sub_memcpy_u16(pkt
, identity
, identitylen
)) {
3020 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3027 OPENSSL_cleanse(psk
, psklen
);
3028 OPENSSL_cleanse(identity
, sizeof(identity
));
3029 OPENSSL_clear_free(tmppsk
, psklen
);
3030 OPENSSL_clear_free(tmpidentity
, identitylen
);
3034 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3039 static int tls_construct_cke_rsa(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3041 unsigned char *encdata
= NULL
;
3042 EVP_PKEY
*pkey
= NULL
;
3043 EVP_PKEY_CTX
*pctx
= NULL
;
3045 unsigned char *pms
= NULL
;
3047 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
3049 if (!received_server_cert(s
)) {
3051 * We should always have a server certificate with SSL_kRSA.
3053 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3057 if ((pkey
= tls_get_peer_pkey(s
)) == NULL
) {
3058 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3062 if (!EVP_PKEY_is_a(pkey
, "RSA")) {
3063 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3067 pmslen
= SSL_MAX_MASTER_KEY_LENGTH
;
3068 pms
= OPENSSL_malloc(pmslen
);
3070 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
3074 pms
[0] = s
->client_version
>> 8;
3075 pms
[1] = s
->client_version
& 0xff;
3076 if (RAND_bytes_ex(sctx
->libctx
, pms
+ 2, pmslen
- 2, 0) <= 0) {
3077 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_RAND_LIB
);
3081 /* Fix buf for TLS and beyond */
3082 if (s
->version
> SSL3_VERSION
&& !WPACKET_start_sub_packet_u16(pkt
)) {
3083 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3087 pctx
= EVP_PKEY_CTX_new_from_pkey(sctx
->libctx
, pkey
, sctx
->propq
);
3088 if (pctx
== NULL
|| EVP_PKEY_encrypt_init(pctx
) <= 0
3089 || EVP_PKEY_encrypt(pctx
, NULL
, &enclen
, pms
, pmslen
) <= 0) {
3090 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
3093 if (!WPACKET_allocate_bytes(pkt
, enclen
, &encdata
)
3094 || EVP_PKEY_encrypt(pctx
, encdata
, &enclen
, pms
, pmslen
) <= 0) {
3095 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_BAD_RSA_ENCRYPT
);
3098 EVP_PKEY_CTX_free(pctx
);
3101 /* Fix buf for TLS and beyond */
3102 if (s
->version
> SSL3_VERSION
&& !WPACKET_close(pkt
)) {
3103 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3107 /* Log the premaster secret, if logging is enabled. */
3108 if (!ssl_log_rsa_client_key_exchange(s
, encdata
, enclen
, pms
, pmslen
)) {
3109 /* SSLfatal() already called */
3113 s
->s3
.tmp
.pms
= pms
;
3114 s
->s3
.tmp
.pmslen
= pmslen
;
3118 OPENSSL_clear_free(pms
, pmslen
);
3119 EVP_PKEY_CTX_free(pctx
);
3124 static int tls_construct_cke_dhe(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3126 EVP_PKEY
*ckey
= NULL
, *skey
= NULL
;
3127 unsigned char *keybytes
= NULL
;
3129 unsigned char *encoded_pub
= NULL
;
3130 size_t encoded_pub_len
, pad_len
;
3133 skey
= s
->s3
.peer_tmp
;
3135 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3139 ckey
= ssl_generate_pkey(s
, skey
);
3141 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3145 if (ssl_derive(s
, ckey
, skey
, 0) == 0) {
3146 /* SSLfatal() already called */
3150 /* send off the data */
3152 /* Generate encoding of server key */
3153 encoded_pub_len
= EVP_PKEY_get1_encoded_public_key(ckey
, &encoded_pub
);
3154 if (encoded_pub_len
== 0) {
3155 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3156 EVP_PKEY_free(ckey
);
3157 return EXT_RETURN_FAIL
;
3161 * For interoperability with some versions of the Microsoft TLS
3162 * stack, we need to zero pad the DHE pub key to the same length
3165 prime_len
= EVP_PKEY_get_size(ckey
);
3166 pad_len
= prime_len
- encoded_pub_len
;
3168 if (!WPACKET_sub_allocate_bytes_u16(pkt
, pad_len
, &keybytes
)) {
3169 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3172 memset(keybytes
, 0, pad_len
);
3175 if (!WPACKET_sub_memcpy_u16(pkt
, encoded_pub
, encoded_pub_len
)) {
3176 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3182 OPENSSL_free(encoded_pub
);
3183 EVP_PKEY_free(ckey
);
3187 static int tls_construct_cke_ecdhe(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3189 unsigned char *encodedPoint
= NULL
;
3190 size_t encoded_pt_len
= 0;
3191 EVP_PKEY
*ckey
= NULL
, *skey
= NULL
;
3194 skey
= s
->s3
.peer_tmp
;
3196 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3200 ckey
= ssl_generate_pkey(s
, skey
);
3202 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_SSL_LIB
);
3206 if (ssl_derive(s
, ckey
, skey
, 0) == 0) {
3207 /* SSLfatal() already called */
3211 /* Generate encoding of client key */
3212 encoded_pt_len
= EVP_PKEY_get1_encoded_public_key(ckey
, &encodedPoint
);
3214 if (encoded_pt_len
== 0) {
3215 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EC_LIB
);
3219 if (!WPACKET_sub_memcpy_u8(pkt
, encodedPoint
, encoded_pt_len
)) {
3220 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3226 OPENSSL_free(encodedPoint
);
3227 EVP_PKEY_free(ckey
);
3231 static int tls_construct_cke_gost(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3233 #ifndef OPENSSL_NO_GOST
3234 /* GOST key exchange message creation */
3235 EVP_PKEY_CTX
*pkey_ctx
= NULL
;
3236 EVP_PKEY
*pkey
= NULL
;
3238 unsigned int md_len
;
3239 unsigned char shared_ukm
[32], tmp
[256];
3240 EVP_MD_CTX
*ukm_hash
= NULL
;
3241 int dgst_nid
= NID_id_GostR3411_94
;
3242 unsigned char *pms
= NULL
;
3244 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
3246 if ((s
->s3
.tmp
.new_cipher
->algorithm_auth
& SSL_aGOST12
) != 0)
3247 dgst_nid
= NID_id_GostR3411_2012_256
;
3250 * Get server certificate PKEY and create ctx from it
3252 if ((pkey
= tls_get_peer_pkey(s
)) == NULL
) {
3253 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
3254 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER
);
3258 pkey_ctx
= EVP_PKEY_CTX_new_from_pkey(sctx
->libctx
,
3261 if (pkey_ctx
== NULL
) {
3262 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
3266 * If we have send a certificate, and certificate key
3267 * parameters match those of server certificate, use
3268 * certificate key for key exchange
3271 /* Otherwise, generate ephemeral key pair */
3273 pms
= OPENSSL_malloc(pmslen
);
3275 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
3279 if (EVP_PKEY_encrypt_init(pkey_ctx
) <= 0
3280 /* Generate session key
3282 || RAND_bytes_ex(sctx
->libctx
, pms
, pmslen
, 0) <= 0) {
3283 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3287 * Compute shared IV and store it in algorithm-specific context
3290 ukm_hash
= EVP_MD_CTX_new();
3291 if (ukm_hash
== NULL
3292 || EVP_DigestInit(ukm_hash
, EVP_get_digestbynid(dgst_nid
)) <= 0
3293 || EVP_DigestUpdate(ukm_hash
, s
->s3
.client_random
,
3294 SSL3_RANDOM_SIZE
) <= 0
3295 || EVP_DigestUpdate(ukm_hash
, s
->s3
.server_random
,
3296 SSL3_RANDOM_SIZE
) <= 0
3297 || EVP_DigestFinal_ex(ukm_hash
, shared_ukm
, &md_len
) <= 0) {
3298 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3301 EVP_MD_CTX_free(ukm_hash
);
3303 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, EVP_PKEY_OP_ENCRYPT
,
3304 EVP_PKEY_CTRL_SET_IV
, 8, shared_ukm
) <= 0) {
3305 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_LIBRARY_BUG
);
3308 /* Make GOST keytransport blob message */
3310 * Encapsulate it into sequence
3313 if (EVP_PKEY_encrypt(pkey_ctx
, tmp
, &msglen
, pms
, pmslen
) <= 0) {
3314 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_LIBRARY_BUG
);
3318 if (!WPACKET_put_bytes_u8(pkt
, V_ASN1_SEQUENCE
| V_ASN1_CONSTRUCTED
)
3319 || (msglen
>= 0x80 && !WPACKET_put_bytes_u8(pkt
, 0x81))
3320 || !WPACKET_sub_memcpy_u8(pkt
, tmp
, msglen
)) {
3321 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3325 EVP_PKEY_CTX_free(pkey_ctx
);
3326 s
->s3
.tmp
.pms
= pms
;
3327 s
->s3
.tmp
.pmslen
= pmslen
;
3331 EVP_PKEY_CTX_free(pkey_ctx
);
3332 OPENSSL_clear_free(pms
, pmslen
);
3333 EVP_MD_CTX_free(ukm_hash
);
3336 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3341 #ifndef OPENSSL_NO_GOST
3342 int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION
*s
)
3344 if ((s
->s3
.tmp
.new_cipher
->algorithm_enc
& SSL_MAGMA
) != 0)
3345 return NID_magma_ctr
;
3346 else if ((s
->s3
.tmp
.new_cipher
->algorithm_enc
& SSL_KUZNYECHIK
) != 0)
3347 return NID_kuznyechik_ctr
;
3352 int ossl_gost_ukm(const SSL_CONNECTION
*s
, unsigned char *dgst_buf
)
3354 EVP_MD_CTX
* hash
= NULL
;
3355 unsigned int md_len
;
3356 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
3357 const EVP_MD
*md
= ssl_evp_md_fetch(sctx
->libctx
, NID_id_GostR3411_2012_256
,
3363 if ((hash
= EVP_MD_CTX_new()) == NULL
3364 || EVP_DigestInit(hash
, md
) <= 0
3365 || EVP_DigestUpdate(hash
, s
->s3
.client_random
, SSL3_RANDOM_SIZE
) <= 0
3366 || EVP_DigestUpdate(hash
, s
->s3
.server_random
, SSL3_RANDOM_SIZE
) <= 0
3367 || EVP_DigestFinal_ex(hash
, dgst_buf
, &md_len
) <= 0) {
3368 EVP_MD_CTX_free(hash
);
3369 ssl_evp_md_free(md
);
3373 EVP_MD_CTX_free(hash
);
3374 ssl_evp_md_free(md
);
3379 static int tls_construct_cke_gost18(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3381 #ifndef OPENSSL_NO_GOST
3382 /* GOST 2018 key exchange message creation */
3383 unsigned char rnd_dgst
[32];
3384 unsigned char *encdata
= NULL
;
3385 EVP_PKEY_CTX
*pkey_ctx
= NULL
;
3387 unsigned char *pms
= NULL
;
3390 int cipher_nid
= ossl_gost18_cke_cipher_nid(s
);
3391 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
3393 if (cipher_nid
== NID_undef
) {
3394 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3398 if (ossl_gost_ukm(s
, rnd_dgst
) <= 0) {
3399 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3403 /* Pre-master secret - random bytes */
3405 pms
= OPENSSL_malloc(pmslen
);
3407 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
3411 if (RAND_bytes_ex(sctx
->libctx
, pms
, pmslen
, 0) <= 0) {
3412 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3416 /* Get server certificate PKEY and create ctx from it */
3417 if ((pkey
= tls_get_peer_pkey(s
)) == NULL
) {
3418 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
3419 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER
);
3423 pkey_ctx
= EVP_PKEY_CTX_new_from_pkey(sctx
->libctx
,
3426 if (pkey_ctx
== NULL
) {
3427 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
3431 if (EVP_PKEY_encrypt_init(pkey_ctx
) <= 0) {
3432 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3436 /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
3437 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, EVP_PKEY_OP_ENCRYPT
,
3438 EVP_PKEY_CTRL_SET_IV
, 32, rnd_dgst
) <= 0) {
3439 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_LIBRARY_BUG
);
3443 if (EVP_PKEY_CTX_ctrl(pkey_ctx
, -1, EVP_PKEY_OP_ENCRYPT
,
3444 EVP_PKEY_CTRL_CIPHER
, cipher_nid
, NULL
) <= 0) {
3445 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_LIBRARY_BUG
);
3449 if (EVP_PKEY_encrypt(pkey_ctx
, NULL
, &msglen
, pms
, pmslen
) <= 0) {
3450 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
3454 if (!WPACKET_allocate_bytes(pkt
, msglen
, &encdata
)
3455 || EVP_PKEY_encrypt(pkey_ctx
, encdata
, &msglen
, pms
, pmslen
) <= 0) {
3456 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_EVP_LIB
);
3460 EVP_PKEY_CTX_free(pkey_ctx
);
3462 s
->s3
.tmp
.pms
= pms
;
3463 s
->s3
.tmp
.pmslen
= pmslen
;
3467 EVP_PKEY_CTX_free(pkey_ctx
);
3468 OPENSSL_clear_free(pms
, pmslen
);
3471 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3476 static int tls_construct_cke_srp(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3478 #ifndef OPENSSL_NO_SRP
3479 unsigned char *abytes
= NULL
;
3481 if (s
->srp_ctx
.A
== NULL
3482 || !WPACKET_sub_allocate_bytes_u16(pkt
, BN_num_bytes(s
->srp_ctx
.A
),
3484 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3487 BN_bn2bin(s
->srp_ctx
.A
, abytes
);
3489 OPENSSL_free(s
->session
->srp_username
);
3490 s
->session
->srp_username
= OPENSSL_strdup(s
->srp_ctx
.login
);
3491 if (s
->session
->srp_username
== NULL
) {
3492 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_CRYPTO_LIB
);
3498 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3503 CON_FUNC_RETURN
tls_construct_client_key_exchange(SSL_CONNECTION
*s
,
3506 unsigned long alg_k
;
3508 alg_k
= s
->s3
.tmp
.new_cipher
->algorithm_mkey
;
3511 * All of the construct functions below call SSLfatal() if necessary so
3512 * no need to do so here.
3514 if ((alg_k
& SSL_PSK
)
3515 && !tls_construct_cke_psk_preamble(s
, pkt
))
3518 if (alg_k
& (SSL_kRSA
| SSL_kRSAPSK
)) {
3519 if (!tls_construct_cke_rsa(s
, pkt
))
3521 } else if (alg_k
& (SSL_kDHE
| SSL_kDHEPSK
)) {
3522 if (!tls_construct_cke_dhe(s
, pkt
))
3524 } else if (alg_k
& (SSL_kECDHE
| SSL_kECDHEPSK
)) {
3525 if (!tls_construct_cke_ecdhe(s
, pkt
))
3527 } else if (alg_k
& SSL_kGOST
) {
3528 if (!tls_construct_cke_gost(s
, pkt
))
3530 } else if (alg_k
& SSL_kGOST18
) {
3531 if (!tls_construct_cke_gost18(s
, pkt
))
3533 } else if (alg_k
& SSL_kSRP
) {
3534 if (!tls_construct_cke_srp(s
, pkt
))
3536 } else if (!(alg_k
& SSL_kPSK
)) {
3537 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3541 return CON_FUNC_SUCCESS
;
3543 OPENSSL_clear_free(s
->s3
.tmp
.pms
, s
->s3
.tmp
.pmslen
);
3544 s
->s3
.tmp
.pms
= NULL
;
3545 s
->s3
.tmp
.pmslen
= 0;
3546 #ifndef OPENSSL_NO_PSK
3547 OPENSSL_clear_free(s
->s3
.tmp
.psk
, s
->s3
.tmp
.psklen
);
3548 s
->s3
.tmp
.psk
= NULL
;
3549 s
->s3
.tmp
.psklen
= 0;
3551 return CON_FUNC_ERROR
;
3554 int tls_client_key_exchange_post_work(SSL_CONNECTION
*s
)
3556 unsigned char *pms
= NULL
;
3559 pms
= s
->s3
.tmp
.pms
;
3560 pmslen
= s
->s3
.tmp
.pmslen
;
3562 #ifndef OPENSSL_NO_SRP
3564 if (s
->s3
.tmp
.new_cipher
->algorithm_mkey
& SSL_kSRP
) {
3565 if (!srp_generate_client_master_secret(s
)) {
3566 /* SSLfatal() already called */
3573 if (pms
== NULL
&& !(s
->s3
.tmp
.new_cipher
->algorithm_mkey
& SSL_kPSK
)) {
3574 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_PASSED_INVALID_ARGUMENT
);
3577 if (!ssl_generate_master_secret(s
, pms
, pmslen
, 1)) {
3578 /* SSLfatal() already called */
3579 /* ssl_generate_master_secret frees the pms even on error */
3587 #ifndef OPENSSL_NO_SCTP
3588 if (SSL_CONNECTION_IS_DTLS(s
)) {
3589 unsigned char sctpauthkey
[64];
3590 char labelbuffer
[sizeof(DTLS1_SCTP_AUTH_LABEL
)];
3592 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
3595 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3598 memcpy(labelbuffer
, DTLS1_SCTP_AUTH_LABEL
,
3599 sizeof(DTLS1_SCTP_AUTH_LABEL
));
3601 /* Don't include the terminating zero. */
3602 labellen
= sizeof(labelbuffer
) - 1;
3603 if (s
->mode
& SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG
)
3606 if (SSL_export_keying_material(ssl
, sctpauthkey
,
3607 sizeof(sctpauthkey
), labelbuffer
,
3608 labellen
, NULL
, 0, 0) <= 0) {
3609 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3613 BIO_ctrl(SSL_get_wbio(ssl
), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY
,
3614 sizeof(sctpauthkey
), sctpauthkey
);
3620 OPENSSL_clear_free(pms
, pmslen
);
3621 s
->s3
.tmp
.pms
= NULL
;
3622 s
->s3
.tmp
.pmslen
= 0;
3627 * Check a certificate can be used for client authentication. Currently check
3628 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3629 * certificates can be used and optionally checks suitability for Suite B.
3631 static int ssl3_check_client_certificate(SSL_CONNECTION
*s
)
3633 /* If no suitable signature algorithm can't use certificate */
3634 if (!tls_choose_sigalg(s
, 0) || s
->s3
.tmp
.sigalg
== NULL
)
3637 * If strict mode check suitability of chain before using it. This also
3638 * adjusts suite B digest if necessary.
3640 if (s
->cert
->cert_flags
& SSL_CERT_FLAGS_CHECK_TLS_STRICT
&&
3641 !tls1_check_chain(s
, NULL
, NULL
, NULL
, -2))
3646 WORK_STATE
tls_prepare_client_certificate(SSL_CONNECTION
*s
, WORK_STATE wst
)
3649 EVP_PKEY
*pkey
= NULL
;
3651 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
3653 if (wst
== WORK_MORE_A
) {
3654 /* Let cert callback update client certificates if required */
3655 if (s
->cert
->cert_cb
) {
3656 i
= s
->cert
->cert_cb(ssl
, s
->cert
->cert_cb_arg
);
3658 s
->rwstate
= SSL_X509_LOOKUP
;
3662 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_CALLBACK_FAILED
);
3665 s
->rwstate
= SSL_NOTHING
;
3667 if (ssl3_check_client_certificate(s
)) {
3668 if (s
->post_handshake_auth
== SSL_PHA_REQUESTED
) {
3669 return WORK_FINISHED_STOP
;
3671 return WORK_FINISHED_CONTINUE
;
3674 /* Fall through to WORK_MORE_B */
3678 /* We need to get a client cert */
3679 if (wst
== WORK_MORE_B
) {
3681 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3682 * return(-1); We then get retied later
3684 i
= ssl_do_client_cert_cb(s
, &x509
, &pkey
);
3686 s
->rwstate
= SSL_X509_LOOKUP
;
3689 s
->rwstate
= SSL_NOTHING
;
3690 if ((i
== 1) && (pkey
!= NULL
) && (x509
!= NULL
)) {
3691 if (!SSL_use_certificate(ssl
, x509
)
3692 || !SSL_use_PrivateKey(ssl
, pkey
))
3694 } else if (i
== 1) {
3696 ERR_raise(ERR_LIB_SSL
, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK
);
3700 EVP_PKEY_free(pkey
);
3701 if (i
&& !ssl3_check_client_certificate(s
))
3704 if (s
->version
== SSL3_VERSION
) {
3705 s
->s3
.tmp
.cert_req
= 0;
3706 ssl3_send_alert(s
, SSL3_AL_WARNING
, SSL_AD_NO_CERTIFICATE
);
3707 return WORK_FINISHED_CONTINUE
;
3709 s
->s3
.tmp
.cert_req
= 2;
3710 s
->ext
.compress_certificate_from_peer
[0] = TLSEXT_comp_cert_none
;
3711 if (!ssl3_digest_cached_records(s
, 0)) {
3712 /* SSLfatal() already called */
3718 if (!SSL_CONNECTION_IS_TLS13(s
)
3719 || (s
->options
& SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
) != 0)
3720 s
->ext
.compress_certificate_from_peer
[0] = TLSEXT_comp_cert_none
;
3722 if (s
->post_handshake_auth
== SSL_PHA_REQUESTED
)
3723 return WORK_FINISHED_STOP
;
3724 return WORK_FINISHED_CONTINUE
;
3727 /* Shouldn't ever get here */
3728 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3732 CON_FUNC_RETURN
tls_construct_client_certificate(SSL_CONNECTION
*s
,
3735 CERT_PKEY
*cpk
= NULL
;
3736 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
3738 if (SSL_CONNECTION_IS_TLS13(s
)) {
3739 if (s
->pha_context
== NULL
) {
3740 /* no context available, add 0-length context */
3741 if (!WPACKET_put_bytes_u8(pkt
, 0)) {
3742 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3743 return CON_FUNC_ERROR
;
3745 } else if (!WPACKET_sub_memcpy_u8(pkt
, s
->pha_context
, s
->pha_context_len
)) {
3746 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3747 return CON_FUNC_ERROR
;
3750 if (s
->s3
.tmp
.cert_req
!= 2)
3752 switch (s
->ext
.client_cert_type
) {
3753 case TLSEXT_cert_type_rpk
:
3754 if (!tls_output_rpk(s
, pkt
, cpk
)) {
3755 /* SSLfatal() already called */
3756 return CON_FUNC_ERROR
;
3759 case TLSEXT_cert_type_x509
:
3760 if (!ssl3_output_cert_chain(s
, pkt
, cpk
, 0)) {
3761 /* SSLfatal() already called */
3762 return CON_FUNC_ERROR
;
3766 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3767 return CON_FUNC_ERROR
;
3770 if (SSL_CONNECTION_IS_TLS13(s
)
3771 && SSL_IS_FIRST_HANDSHAKE(s
)
3772 && (!ssl
->method
->ssl3_enc
->change_cipher_state(s
,
3773 SSL3_CC_HANDSHAKE
| SSL3_CHANGE_CIPHER_CLIENT_WRITE
))) {
3775 * This is a fatal error, which leaves enc_write_ctx in an inconsistent
3776 * state and thus ssl3_send_alert may crash.
3778 SSLfatal(s
, SSL_AD_NO_ALERT
, SSL_R_CANNOT_CHANGE_CIPHER
);
3779 return CON_FUNC_ERROR
;
3782 return CON_FUNC_SUCCESS
;
3785 #ifndef OPENSSL_NO_COMP_ALG
3786 CON_FUNC_RETURN
tls_construct_client_compressed_certificate(SSL_CONNECTION
*sc
,
3789 SSL
*ssl
= SSL_CONNECTION_GET_SSL(sc
);
3791 BUF_MEM
*buf
= NULL
;
3794 COMP_METHOD
*method
;
3795 COMP_CTX
*comp
= NULL
;
3798 int alg
= sc
->ext
.compress_certificate_from_peer
[0];
3800 /* Note that sc->s3.tmp.cert_req == 2 is checked in write transition */
3802 if ((buf
= BUF_MEM_new()) == NULL
|| !WPACKET_init(&tmppkt
, buf
))
3805 /* Use the |tmppkt| for the to-be-compressed data */
3806 if (sc
->pha_context
== NULL
) {
3807 /* no context available, add 0-length context */
3808 if (!WPACKET_put_bytes_u8(&tmppkt
, 0))
3810 } else if (!WPACKET_sub_memcpy_u8(&tmppkt
, sc
->pha_context
, sc
->pha_context_len
))
3813 if (!ssl3_output_cert_chain(sc
, &tmppkt
, sc
->cert
->key
, 0)) {
3814 /* SSLfatal() already called */
3818 /* continue with the real |pkt| */
3819 if (!WPACKET_put_bytes_u16(pkt
, alg
)
3820 || !WPACKET_get_total_written(&tmppkt
, &length
)
3821 || !WPACKET_put_bytes_u24(pkt
, length
))
3825 case TLSEXT_comp_cert_zlib
:
3826 method
= COMP_zlib_oneshot();
3828 case TLSEXT_comp_cert_brotli
:
3829 method
= COMP_brotli_oneshot();
3831 case TLSEXT_comp_cert_zstd
:
3832 method
= COMP_zstd_oneshot();
3837 max_length
= ossl_calculate_comp_expansion(alg
, length
);
3839 if ((comp
= COMP_CTX_new(method
)) == NULL
3840 || !WPACKET_start_sub_packet_u24(pkt
)
3841 || !WPACKET_reserve_bytes(pkt
, max_length
, NULL
))
3844 comp_len
= COMP_compress_block(comp
, WPACKET_get_curr(pkt
), max_length
,
3845 (unsigned char *)buf
->data
, length
);
3849 if (!WPACKET_allocate_bytes(pkt
, comp_len
, NULL
)
3850 || !WPACKET_close(pkt
))
3853 if (SSL_IS_FIRST_HANDSHAKE(sc
)
3854 && (!ssl
->method
->ssl3_enc
->change_cipher_state(sc
,
3855 SSL3_CC_HANDSHAKE
| SSL3_CHANGE_CIPHER_CLIENT_WRITE
))) {
3857 * This is a fatal error, which leaves sc->enc_write_ctx in an
3858 * inconsistent state and thus ssl3_send_alert may crash.
3860 SSLfatal(sc
, SSL_AD_NO_ALERT
, SSL_R_CANNOT_CHANGE_CIPHER
);
3867 SSLfatal(sc
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3870 /* If |buf| is NULL, then |tmppkt| could not have been initialized */
3871 WPACKET_cleanup(&tmppkt
);
3874 COMP_CTX_free(comp
);
3879 int ssl3_check_cert_and_algorithm(SSL_CONNECTION
*s
)
3881 const SSL_CERT_LOOKUP
*clu
;
3886 alg_k
= s
->s3
.tmp
.new_cipher
->algorithm_mkey
;
3887 alg_a
= s
->s3
.tmp
.new_cipher
->algorithm_auth
;
3889 /* we don't have a certificate */
3890 if (!(alg_a
& SSL_aCERT
))
3893 /* This is the passed certificate */
3894 pkey
= tls_get_peer_pkey(s
);
3895 clu
= ssl_cert_lookup_by_pkey(pkey
, &idx
, SSL_CONNECTION_GET_CTX(s
));
3897 /* Check certificate is recognised and suitable for cipher */
3898 if (clu
== NULL
|| (alg_a
& clu
->amask
) == 0) {
3899 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_MISSING_SIGNING_CERT
);
3903 if (alg_k
& (SSL_kRSA
| SSL_kRSAPSK
) && idx
!= SSL_PKEY_RSA
) {
3904 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
,
3905 SSL_R_MISSING_RSA_ENCRYPTING_CERT
);
3909 if ((alg_k
& SSL_kDHE
) && (s
->s3
.peer_tmp
== NULL
)) {
3910 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3914 /* Early out to skip the checks below */
3915 if (s
->session
->peer_rpk
!= NULL
)
3918 if (clu
->amask
& SSL_aECDSA
) {
3919 if (ssl_check_srvr_ecc_cert_and_alg(s
->session
->peer
, s
))
3921 SSLfatal(s
, SSL_AD_HANDSHAKE_FAILURE
, SSL_R_BAD_ECC_CERT
);
3928 #ifndef OPENSSL_NO_NEXTPROTONEG
3929 CON_FUNC_RETURN
tls_construct_next_proto(SSL_CONNECTION
*s
, WPACKET
*pkt
)
3931 size_t len
, padding_len
;
3932 unsigned char *padding
= NULL
;
3934 len
= s
->ext
.npn_len
;
3935 padding_len
= 32 - ((len
+ 2) % 32);
3937 if (!WPACKET_sub_memcpy_u8(pkt
, s
->ext
.npn
, len
)
3938 || !WPACKET_sub_allocate_bytes_u8(pkt
, padding_len
, &padding
)) {
3939 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
3940 return CON_FUNC_ERROR
;
3943 memset(padding
, 0, padding_len
);
3945 return CON_FUNC_SUCCESS
;
3949 MSG_PROCESS_RETURN
tls_process_hello_req(SSL_CONNECTION
*s
, PACKET
*pkt
)
3951 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
3953 if (PACKET_remaining(pkt
) > 0) {
3954 /* should contain no data */
3955 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
3956 return MSG_PROCESS_ERROR
;
3959 if ((s
->options
& SSL_OP_NO_RENEGOTIATION
)) {
3960 ssl3_send_alert(s
, SSL3_AL_WARNING
, SSL_AD_NO_RENEGOTIATION
);
3961 return MSG_PROCESS_FINISHED_READING
;
3965 * This is a historical discrepancy (not in the RFC) maintained for
3966 * compatibility reasons. If a TLS client receives a HelloRequest it will
3967 * attempt an abbreviated handshake. However if a DTLS client receives a
3968 * HelloRequest it will do a full handshake. Either behaviour is reasonable
3969 * but doing one for TLS and another for DTLS is odd.
3971 if (SSL_CONNECTION_IS_DTLS(s
))
3972 SSL_renegotiate(ssl
);
3974 SSL_renegotiate_abbreviated(ssl
);
3976 return MSG_PROCESS_FINISHED_READING
;
3979 static MSG_PROCESS_RETURN
tls_process_encrypted_extensions(SSL_CONNECTION
*s
,
3983 RAW_EXTENSION
*rawexts
= NULL
;
3985 if (!PACKET_as_length_prefixed_2(pkt
, &extensions
)
3986 || PACKET_remaining(pkt
) != 0) {
3987 SSLfatal(s
, SSL_AD_DECODE_ERROR
, SSL_R_LENGTH_MISMATCH
);
3991 if (!tls_collect_extensions(s
, &extensions
,
3992 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
, &rawexts
,
3994 || !tls_parse_all_extensions(s
, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
,
3995 rawexts
, NULL
, 0, 1)) {
3996 /* SSLfatal() already called */
4000 OPENSSL_free(rawexts
);
4001 return MSG_PROCESS_CONTINUE_READING
;
4004 OPENSSL_free(rawexts
);
4005 return MSG_PROCESS_ERROR
;
4008 int ssl_do_client_cert_cb(SSL_CONNECTION
*s
, X509
**px509
, EVP_PKEY
**ppkey
)
4011 SSL_CTX
*sctx
= SSL_CONNECTION_GET_CTX(s
);
4013 #ifndef OPENSSL_NO_ENGINE
4014 if (sctx
->client_cert_engine
) {
4015 i
= tls_engine_load_ssl_client_cert(s
, px509
, ppkey
);
4020 if (sctx
->client_cert_cb
)
4021 i
= sctx
->client_cert_cb(SSL_CONNECTION_GET_SSL(s
), px509
, ppkey
);
4025 int ssl_cipher_list_to_bytes(SSL_CONNECTION
*s
, STACK_OF(SSL_CIPHER
) *sk
,
4029 size_t totlen
= 0, len
, maxlen
, maxverok
= 0;
4030 int empty_reneg_info_scsv
= !s
->renegotiate
;
4031 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
4033 /* Set disabled masks for this session */
4034 if (!ssl_set_client_disabled(s
)) {
4035 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_NO_PROTOCOLS_AVAILABLE
);
4040 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
4044 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
4045 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
4046 # error Max cipher length too short
4049 * Some servers hang if client hello > 256 bytes as hack workaround
4050 * chop number of supported ciphers to keep it well below this if we
4053 if (TLS1_get_version(ssl
) >= TLS1_2_VERSION
)
4054 maxlen
= OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
& ~1;
4057 /* Maximum length that can be stored in 2 bytes. Length must be even */
4060 if (empty_reneg_info_scsv
)
4062 if (s
->mode
& SSL_MODE_SEND_FALLBACK_SCSV
)
4065 for (i
= 0; i
< sk_SSL_CIPHER_num(sk
) && totlen
< maxlen
; i
++) {
4066 const SSL_CIPHER
*c
;
4068 c
= sk_SSL_CIPHER_value(sk
, i
);
4069 /* Skip disabled ciphers */
4070 if (ssl_cipher_disabled(s
, c
, SSL_SECOP_CIPHER_SUPPORTED
, 0))
4073 if (!ssl
->method
->put_cipher_by_char(c
, pkt
, &len
)) {
4074 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
4078 /* Sanity check that the maximum version we offer has ciphers enabled */
4080 if (SSL_CONNECTION_IS_DTLS(s
)) {
4081 if (DTLS_VERSION_GE(c
->max_dtls
, s
->s3
.tmp
.max_ver
)
4082 && DTLS_VERSION_LE(c
->min_dtls
, s
->s3
.tmp
.max_ver
))
4085 if (c
->max_tls
>= s
->s3
.tmp
.max_ver
4086 && c
->min_tls
<= s
->s3
.tmp
.max_ver
)
4094 if (totlen
== 0 || !maxverok
) {
4095 const char *maxvertext
=
4097 ? "No ciphers enabled for max supported SSL/TLS version"
4100 SSLfatal_data(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_NO_CIPHERS_AVAILABLE
,
4106 if (empty_reneg_info_scsv
) {
4107 static SSL_CIPHER scsv
= {
4108 0, NULL
, NULL
, SSL3_CK_SCSV
, 0, 0, 0, 0, 0, 0, 0, 0, 0
4110 if (!ssl
->method
->put_cipher_by_char(&scsv
, pkt
, &len
)) {
4111 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
4115 if (s
->mode
& SSL_MODE_SEND_FALLBACK_SCSV
) {
4116 static SSL_CIPHER scsv
= {
4117 0, NULL
, NULL
, SSL3_CK_FALLBACK_SCSV
, 0, 0, 0, 0, 0, 0, 0, 0, 0
4119 if (!ssl
->method
->put_cipher_by_char(&scsv
, pkt
, &len
)) {
4120 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
4129 CON_FUNC_RETURN
tls_construct_end_of_early_data(SSL_CONNECTION
*s
, WPACKET
*pkt
)
4131 if (s
->early_data_state
!= SSL_EARLY_DATA_WRITE_RETRY
4132 && s
->early_data_state
!= SSL_EARLY_DATA_FINISHED_WRITING
) {
4133 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
4134 return CON_FUNC_ERROR
;
4137 s
->early_data_state
= SSL_EARLY_DATA_FINISHED_WRITING
;
4138 return CON_FUNC_SUCCESS
;